Closed ctyk3322 closed 6 years ago
brunotm
commented
6 years ago You're using it correctly.
Initially the latest and earliest args where mean't to be used at the command line, and if the gui values where found it would just default to them. This is confusing and incorrect.
I'll put up a fix. Thanks for reporting!
brunotm
commented
6 years ago @ctyk3322
I've fixed the issue, note however that when earliest and latest parameters are specified this will be the effective range for the search, even though the range below the search bar shows the one from the timepicker.
You can easily verify this by adjusting the earliest/latest parameters and the timepicker, while checking the number of events returned.
Not sure if I am using the field incorrectly or not, but when I populate those fields (ie. now-6M or now-1y) the time doesn't actually reflect those values. Instead it just take whatever time value is populate in the Splunk gui.
tsfield="@timestamp" latest=now earliest="now-1y" If Splunk is set to look at the last 15 minutes, the http query sent to ElasticSearch is 15 minutes not back to 1 year.