Omit time range in query

dataisbeautiful — Tue, 05 Dec 2023 09:29:12 GMT

I am querying a change in a value each week over last 4 weeks. Ineed to know the value from the week before the search window to work out the change correctly.

index=ind sourcetype=src (type=instrument) earliest=-5w@w+1d latest=@w+1d
| bucket _time span=7d
| stats max(reading) as WeekMax by _time
| streamstats current=f last(WeekMax) as LastWeekMax
| eval WeekDelta = WeekMax - LastWeekMax
| eval WeekDelta = if(WeekDelta < 0, 0.000000, WeekDelta)
| table _time, WeekMax, WeekDelta

I don't want to show the time for the week before the query (-5th week). Any tips on how to change this query to only show results for last 4 weeks but still calculating the change correctly?

Thanks

Re: Omit time range in query

ITWhisperer — Tue, 05 Dec 2023 12:09:23 GMT

| where _time > relative_time(now(),"-4w@w+1d")

topic Omit time range in query in Splunk Search

Omit time range in query

Re: Omit time range in query