topic Re: How to achieve to _time filter with transpose? in Splunk Enterprise

How to achieve to _time filter with transpose?

jip31 — Fri, 18 Nov 2022 06:41:54 GMT

I use a search thats transpose events with span of 30 m

the end of the search is this one

as you can see, I just display events which exist in a specific time range

| where _time <= now() AND _time >= now()-14400

It works fine but just when the timepicker choice is "today"

I would like to do the same think on previous timepicker choice like "last 7 days" or "last 30 days"

Could you help please?

Re: How to achieve to _time filter with transpose?

rnowitzki — Fri, 18 Nov 2022 08:58:58 GMT

Hi @jip31,

It seems to work in general for me, independent of the timepicker setting (well, if you select less than 4 hours it will only show you events from the selected range or course).

Can you show the first part of the search? Is there a timechart or something that groups by 30 min?
Because when I use the given part of the search I get columns for each minute.

Is there a reason why you filter the time range in the SPL instead of selecting e.g. "last 4 hours"?

Ralph

Re: How to achieve to _time filter with transpose?

jip31 — Fri, 18 Nov 2022 09:56:34 GMT

Yes there is a timechart

Re: How to achieve to _time filter with transpose?

jip31 — Mon, 21 Nov 2022 05:23:13 GMT

Is anybody can help please?

Re: How to achieve to _time filter with transpose?

rnowitzki — Mon, 21 Nov 2022 09:42:37 GMT

Hi @jip31 ,

Can you please give more details about your use case?

I tested your SPL and it works in general. It gets into troubles when you set the time picker to several days.
One limitation are the sort commands. (sort 0 time might help).

But in general I don't see a reason why you'd select events of 7d and then limit in in the search to 4 hours.
Is there a reason to limit time later, instead of using the time picker?

Ralph

Re: How to achieve to _time filter with transpose?

jip31 — Mon, 21 Nov 2022 13:26:33 GMT

Until now, I just was using this search for "Today" time range

Now I need to see the results on the period selected in the timepicker

Contrary to I said at the beginning, if I chose "Last 7days" for example, I can see all the results for this period

I have just replaced

| eval time=strftime(_time,"%H:%M")

| eval time=strftime(_time,"%d-%m %H:%M")

in order to see not only the hour but also the day concernend

So it gives me this

Now the last thing I want to do is to not display the events between 19:00 PM and 6 AM

It means I just need to display the events between 6:AM and 19:00 PM

Have you an idea please for doing this?

Re: How to achieve to _time filter with transpose?

rnowitzki — Mon, 21 Nov 2022 15:13:54 GMT

Ah ok, I understand now.

You could throw away the irrelevant hours:

| eval hour=strftime(_time, "%H") | where hour>=6 AND hour<=18

Re: How to achieve to _time filter with transpose?

jip31 — Mon, 21 Nov 2022 15:27:43 GMT

any results with this

Re: How to achieve to _time filter with transpose?

rnowitzki — Mon, 21 Nov 2022 20:57:01 GMT

You mean no results?

Maybe you used it "too late". As we use _time to retrieve the "hour", the _time field of course still has to be in the resultset.

Try to use it in this location of the SPL:

Re: How to achieve to _time filter with transpose?

jip31 — Tue, 22 Nov 2022 05:19:19 GMT

perfect thanks