Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there a time range specifier for "last 24 hours of available data"?

HXCaine
Path Finder
‎08-28-2012 01:54 AM

I would like to display a chart for only the last 24 hours of data, but I don't want the charts to be empty if I haven't imported the data today, I'd like it to just show the last available 24 hours' worth of data.

(This is because the data is currently coming from another machine and I have to manually import log files for the moment.)

How can I specify "last 24 hours of data that is available"?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎08-28-2012 02:29 AM

There's nothing built-in that I know of, in part because this kind of usage differs somewhat from how Splunk is used in a typical case.

What you could do is get the newest event in the index, grab its timestamp and then search on any events that have a timestamp that's at most 24 hours older than that. Something like this should work:

_time>[search * | head 1 | eval _time=_time-86400 | return $_time]

View solution in original post

Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎08-28-2012 02:29 AM

There's nothing built-in that I know of, in part because this kind of usage differs somewhat from how Splunk is used in a typical case.

What you could do is get the newest event in the index, grab its timestamp and then search on any events that have a timestamp that's at most 24 hours older than that. Something like this should work:

_time>[search * | head 1 | eval _time=_time-86400 | return $_time]
Reply
Solved! Jump to solution

HXCaine
Path Finder
‎09-05-2012 04:23 AM

Just a note for anybody using this: using 'search *' will search all sourcetypes, so if you have newly indexed data in another sourcetype you may get no data returned in your query. Instead, use 'search sourcetype="blah" | head 1 ...' and it will search specifically within this sourcetype

0 Karma
Reply
Solved! Jump to solution

jonuwz
Influencer
‎08-28-2012 05:58 AM

+1 cool. was unaware of return $...
no more messing around with query=... | format "" "" "" "" "" "" .....

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...