https://community.splunk.com/t5/Splunk-Search/use-latest-as-part-of-where-clause/m-p/479199#M134324 <PRE><CODE>foo | timechart count span=1h | timewrap w | addinfo | where relative_time(_time, "@h")==relative_time(info_max_time,"-1h@h") </CODE></PRE> <P>Query order is wrong.<BR /> If you have wrong result, try and check line by line.</P> Wed, 22 Apr 2020 20:23:15 GMT to4kawa 2020-04-22T20:23:15Z https://community.splunk.com/t5/Splunk-Search/use-latest-as-part-of-where-clause/m-p/479194#M134319 <P>Right now I have a search set up that compares the previous hours events to the same hour 1 week ago:</P> <PRE><CODE>foo | timechart count span=1h | where strftime(_time, "%A %H")==strftime(relative_time(now(),"-1h"),"%A %H") </CODE></PRE> <P>However I would like to add it to a dashboard and instead of having everything relative to "now" I would like it to be based on the time picker. How can I change the second strftime to allow me to do this? Currently I have to set the time picker to the previous 7 days to get this to work on the report, though I'm not married to that implementation. <BR /> I have tried the below search, however it doesn't return any events:</P> <PRE><CODE>foo| timechart count span=1h | where strftime(_time, "%A %H")==strftime(latest,"%A %H") </CODE></PRE> <P>I tried using addinfo, but to no avail:</P> <PRE><CODE>foo | addinfo | eval high=strftime(relative_time(info_max_time, "-1h"), "%A %H") | timechart count span=1h | where strftime(_time, "%A %H")==high </CODE></PRE> Wed, 22 Apr 2020 12:58:58 GMT https://community.splunk.com/t5/Splunk-Search/use-latest-as-part-of-where-clause/m-p/479194#M134319 jasonmadesometh 2020-04-22T12:58:58Z https://community.splunk.com/t5/Splunk-Search/use-latest-as-part-of-where-clause/m-p/479195#M134320 <P>did you look into the <CODE>timewrap</CODE> command?<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/8.0.3/SearchReference/Timewrap">https://docs.splunk.com/Documentation/Splunk/8.0.3/SearchReference/Timewrap</A></P> Wed, 22 Apr 2020 13:04:54 GMT https://community.splunk.com/t5/Splunk-Search/use-latest-as-part-of-where-clause/m-p/479195#M134320 adonio 2020-04-22T13:04:54Z https://community.splunk.com/t5/Splunk-Search/use-latest-as-part-of-where-clause/m-p/479196#M134321 <P>try <CODE>addinfo</CODE> 's <CODE>info_max_time</CODE></P> <P><A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Addinfo">https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Addinfo</A></P> Wed, 22 Apr 2020 13:07:10 GMT https://community.splunk.com/t5/Splunk-Search/use-latest-as-part-of-where-clause/m-p/479196#M134321 to4kawa 2020-04-22T13:07:10Z https://community.splunk.com/t5/Splunk-Search/use-latest-as-part-of-where-clause/m-p/479197#M134322 <P>foo<BR /> | addinfo<BR /> | timechart count span=1h <BR /> | timewrap w<BR /> | where strftime(_time, "%A %H")==strftime(relative_time(info_max_time,"-1h"),"%A %H")</P> <P>returns no results as well</P> Wed, 30 Sep 2020 05:04:18 GMT https://community.splunk.com/t5/Splunk-Search/use-latest-as-part-of-where-clause/m-p/479197#M134322 jasonmadesometh 2020-09-30T05:04:18Z https://community.splunk.com/t5/Splunk-Search/use-latest-as-part-of-where-clause/m-p/479198#M134323 <P>Yeah, timewrap worked perfectly for the graph, though I'm trying to generate a scorecard for a dashboard. My timewrap command looks like this:<BR /> foo<BR /> | timechart count span=5m <BR /> | timewrap w<BR /> | where strftime(_time, "%A")=="Monday"</P> <P>And what I would like to do is replace that monday string with something I can base off the time picker's latest property</P> Wed, 22 Apr 2020 13:15:11 GMT https://community.splunk.com/t5/Splunk-Search/use-latest-as-part-of-where-clause/m-p/479198#M134323 jasonmadesometh 2020-04-22T13:15:11Z https://community.splunk.com/t5/Splunk-Search/use-latest-as-part-of-where-clause/m-p/479199#M134324 <PRE><CODE>foo | timechart count span=1h | timewrap w | addinfo | where relative_time(_time, "@h")==relative_time(info_max_time,"-1h@h") </CODE></PRE> <P>Query order is wrong.<BR /> If you have wrong result, try and check line by line.</P> Wed, 22 Apr 2020 20:23:15 GMT https://community.splunk.com/t5/Splunk-Search/use-latest-as-part-of-where-clause/m-p/479199#M134324 to4kawa 2020-04-22T20:23:15Z