Hi,
i have an issue with the splunk search. Here is my query:
host=secmailstd1 | eval tempQueue=coalesce(queue_id,amavisQueue) | transaction tempQueue | eval filterstatus=case(amavisStatus="Passed CLEAN {RelayedInbound}", "Sauber", amavisStatus="Passed SPAM {RelayedTaggedInbound}", "Spam",amavisStatus="Blocked SPAM {DiscardedInbound,Quarantined}", "Spam in Quarantäne", amavisStatus="Passed SPAMMY {RelayedTaggedInbound}", "Spam", amavisStatus="Passed UNCHECKED {RelayedTaggedInbound}", "Unchecked")| search to="" amavisStatus=""|table _time from to status filterstatus
The viewed data time goes from 14.10.2013 to 31.10.2013 (1231 entries) (all dates chosen) but if i choose last 4 hours there is data from today which has not been viewed before.
I would like to get the whole time range.
Hope my request is understandable
Thank you very much