How to I specify and earliest/latest search relati...

kkanand · ‎09-23-2022

How to I specify and earliest/latest search relative to the global time range selector.

So if I choose 9/22/2022 in the global time range selector.

I want my search to search from

2am to 3pm on that day.

When I specify earliest=@d+2h latests=@d+15h this completely overrides the global time selector and I get current time instead for the date from the global time range selector.

kkanand · ‎09-26-2022

Above didnt work
index=openshift_abc-ddx "Completed building" file_type=AAA_BBB_CCC openshift_deployment_labels="app=cc-dd" openshift_namespace="dddf0-ddf-uat" | fields o_p_name | table _time o_p_name

time window

(2:30 AM - 3 PM)

(3 PM - 11 PM)

ITWhisperer · ‎09-25-2022

<your search> [| makeresults
  | addinfo
  | eval earliest=relative_time(info_min_time,"@d+2h")
  | eval latest=relative_time(info_min_time,"@d+15h")
  | fields earliest latest]

kkanand · ‎09-26-2022

Above didnt work
index=openshift_abc-ddx "Completed building" file_type=AAA_BBB_CCC openshift_deployment_labels="app=cc-dd" openshift_namespace="dddf0-ddf-uat" | fields o_p_name | table _time o_p_name

time window

(2:30 AM - 3 PM)

(3 PM - 11 PM)

ITWhisperer · ‎09-27-2022

What are you saying here? You don't appear to have included my suggestion and your requirement appears to have changed (with different time windows)!

index=openshift_abc-ddx "Completed building" file_type=AAA_BBB_CCC openshift_deployment_labels="app=cc-dd" openshift_namespace="dddf0-ddf-uat"  [| makeresults
  | addinfo
  | eval earliest=relative_time(info_min_time,"@d+2h+30m")
  | eval latest=relative_time(info_min_time,"@d+15h")
  | fields earliest latest]
| fields o_p_name   | table _time o_p_name

kkanand · ‎09-27-2022

I am sorry. I forgot to write more on that.
I was using the above query in 2 different panels for 2 different time windows.

Panel 1. 2.30 am to 3 pm - Specified Custom time > Advanced > Earliest = @d+8h+30m and Latest = @d+21h

Panel 2. 3pm to 11pm - Specified Custom time > Advanced > Earliest > @d+15h and Latest = @d+23h

And the data is not showing up properly with this query.

Can you please suggest the changes needed

Thank you

ITWhisperer · ‎09-27-2022

One panel uses the query like this

index=openshift_abc-ddx "Completed building" file_type=AAA_BBB_CCC openshift_deployment_labels="app=cc-dd" openshift_namespace="dddf0-ddf-uat"  [| makeresults
  | addinfo
  | eval earliest=relative_time(info_min_time,"@d+2h+30m")
  | eval latest=relative_time(info_min_time,"@d+15h")
  | fields earliest latest]
| fields o_p_name   | table _time o_p_name

The other panel uses the query like this

index=openshift_abc-ddx "Completed building" file_type=AAA_BBB_CCC openshift_deployment_labels="app=cc-dd" openshift_namespace="dddf0-ddf-uat"  [| makeresults
  | addinfo
  | eval earliest=relative_time(info_min_time,"@d+15h")
  | eval latest=relative_time(info_min_time,"@d+23h")
  | fields earliest latest]
| fields o_p_name   | table _time o_p_name

Both panels use the global time picker

kkanand · ‎09-28-2022

You have reached the limit for number of private messages that you can send for now. Please try again later.

I am getting error.
--------------------------------------------------------
I added the new query you sent

But the data is not coming up.

-----------------------------------------------------------

Can you PM your email id then I can reply to that

johnhuang · ‎09-23-2022

Extract the hour (00, 01, 02, .., 24) from time and filter by it.

| eval evt_hour=strftime(_time, "%H") 
| where evt_hour>=2 AND evt_hour<=15

kkanand · ‎09-26-2022

Above didnt work
index=openshift_abc-ddx "Completed building" file_type=AAA_BBB_CCC openshift_deployment_labels="app=cc-dd" openshift_namespace="dddf0-ddf-uat" | fields o_p_name | table _time o_p_name

time window