topic Default Start Timerange from 10am in Getting Data In

Default Start Timerange from 10am

Melstrathdee — Fri, 24 May 2019 04:02:13 GMT

I am working on a wall board dashboard regarding incidents created from 10am till now. So if it is before 10am I want to return results from 10am yesterday. If it is after 10am today then I want results from 10am today.

I found the syntax for for getting all the results for the beginning of the current week

earliest=@w0

I was hoping there might be something similar like

earliest=@h10

Any suggestions?

Re: Default Start Timerange from 10am

nabeel652 — Fri, 24 May 2019 04:10:46 GMT

use

earliest = @d+10h

For events after 10am today

Re: Default Start Timerange from 10am

Melstrathdee — Fri, 24 May 2019 04:21:58 GMT

Thanks nabell652 we are on the same page I'm currently using but it only works for events when I'm looking at the dashboard between 10am and midnight.

I also need to cover midnight to 9:59.

Re: Default Start Timerange from 10am

nabeel652 — Fri, 24 May 2019 04:30:14 GMT

if it is in a different search you can use

earliest=@d latest=@d+10h

And for 10am till now

earliest=@d+10h latest=now

Re: Default Start Timerange from 10am

Melstrathdee — Fri, 31 May 2019 00:53:42 GMT

I found the solution:

Logic:

a "normal day" is 10am till 10am each day.
So if it is before 10am - the time range will be 10am the previous day till the current time.
If it is after 10am then the time will from 10am today till now.

Date Time Calculation:

we run a base search with the id of DatePicker
To do this we calculate the current time and set the hnow to be the current hour.
Then we run an if statement to set the earliest time variable based on if it is before 10am
when the search is done we set the earliest time range token.

| makeresults | head 1 | eval hnow = strftime(now(), "%H")
| fields hnow
| eval x=if(hnow > 9,"@d+10h","-1d@d+10h")

-1m
now
1m

$result.x$

Hope this helps someone else.