I have a search like below.
If i run this search, let's say now, it fetches transaction (as per the display ) not from the TOP of the hour, but from the time I have run the search.
Let's say I run this for the last 7 days.
It takes only from 8/8 15:00 hrs till now and not 8/8 00:00 hrs until now.
I tried 1d and as well as 24 hours, but same thing. How do we have the result fetched from the top of the hour?
index!=_internal "test" | rex "(?i)fieldname1=(?P[^]]+)" | dedup FIELDNAME | timechart span=1d count
↧