If the start time of a search is set to 03:35:08, will it look back to 03:00:00 when using -30m@h?

When using the search time modifier "-30m@h," the search will look back 30 minutes to the nearest hour mark. In this case, the start time is set to 03:35:08. Applying "-30m@h," the nearest hour is 03:00:00, as it rounds down to the last hour.

The calculation works as follows:

1. The time modifier “-30m@h” indicates that the search will include events from 30 minutes before the start of the nearest hour.

2. The nearest hour, in this instance, is 03:00:00.

3. By subtracting 30 minutes from 03:00:00, the search will indeed go back to 02:30:00.

Thus, since the search looks back to 02:30:00, it does not actually look back to 03:00:00 specifically; instead, it encompasses the duration from 02:30:00 to 03:00:00 and continues up to the start time of 03:35:08. Therefore, confirming that yes, the search will effectively look back beyond the stated time frame, validating why the initial response was appropriate.