- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Setting a time range from field data
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to make 2 reports based on a time frame from field data. The first search has to pick the data from 1 week ago and the second search needs to get the data within 5 and 10 days from the initial timestamp in the field
I achieved the first by using | where timeField>=relative_time(now(),"-1w") AND _time<=now()
This correctly gives me data from this point until 1 week ago
How do I alter the search to get data from within 5 and 10 days from the timestamp in timeField?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming you're talking about merging those two searches, give this a try
your base search [search your base search | where timeField>=relative_time(now(),"-1w") AND _time<=now() | stats min(timeField) as timeField | eval earliest=relative_time(timeField,"-10d") | eval latest=relative_time(timeField,"-5d") | table earliest latest] | rest of the search
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming you're talking about merging those two searches, give this a try
your base search [search your base search | where timeField>=relative_time(now(),"-1w") AND _time<=now() | stats min(timeField) as timeField | eval earliest=relative_time(timeField,"-10d") | eval latest=relative_time(timeField,"-5d") | table earliest latest] | rest of the search
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry for the lack of description in my question. This is not 100% what I wanted but I was able to use most of your search to create what I wanted
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm not sure I understand your intent, but I have a set of searches that adjust _time several different ways. Perhaps you can find what you are looking for in them.
The set of searches looks back for the past 30 minutes for "DOT1X_State=unauthorized", dedups the results, uses stats to count up the results and rolls them into a report called "Last30". Then it looks back over the past 3 weeks and collects the data from the same 30 minute window of time into individual reports and manipulates _time for each of these reports so timechart will display them together.
index=AAAAAAA earliest=-30m@m latest=-0m@m sourcetype=BBBBBBB DOT1X_State=unauthorized
| timechart span=30s count as TOTAL
| eval ReportKey="Last30"
| append [search index=AAAAAAA sourcetype=BBBBBBB DOT1X_State=unauthorized earliest=-10110m@m latest=-10080m@m
| timechart span=30s count as TOT
| eval ReportKey="1WkAgo"
| eval _time=_time+604800]
| append [search index=AAAAAAA sourcetype=BBBBBBB DOT1X_State=unauthorized earliest=-20190m@m latest=-20160m@m
| timechart span=30s count as TOT
| eval ReportKey="2WksAgo"
| eval _time=_time+1209600]
| append [search index=AAAAAAA sourcetype=BBBBBBB DOT1X_State=unauthorized earliest=-30270m@m latest=-30240m@m
| timechart span=30s count as TOT
| eval ReportKey="3WksAgo"
| eval _time=_time+1814400 ]
| timechart avg(TOT) as Three_week_average values(TOTAL) as The_previous_30_minutes
I hope you find a useful nugget in that.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not sure I understand your requirement for the second search. Can you share some examples?
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Adoption of RUM and APM at Splunk
