At the time of searching the start time is 03:35:08.
Will it look back to 03:00:00 if we use -30m@h in searching?
At the time of searching the start time is 03:35:08.
Will it look back to 03:00:00 if we use -30m@h in searching?
Using the time specifier -30m@h means '30 minutes ago from the start of the current hour'. At the time of searching, 03:35:08, the start of the current hour would be 03:00:00. Subtracting 30 minutes from 03:00:00 takes us to 02:30:00. Therefore, the search will look back to 02:30:00, not 03:00:00. However, it encompasses the time range from 02:30:00 to 03:00:00, so it includes 03:00:00 in the range.
In Splunk, the syntax -30m@h represents a relative time specifier that indicates a time range relative to the current time. In this specific case, the "-30m" part means 30 minutes ago, and the "@h" part means the beginning of the current hour. So, "-30m@h" represents a time range that starts 30 minutes ago from the beginning of the current hour and ends at the beginning of the current hour. For example, if the current time is 2:45 PM, "-30m@h" would represent the time range from 2:00 PM to 2:30 PM. so answer is Yes it will look at time from 3.00-3.30
Yes, page 64