Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Setting a time range from field data

Sverblaauw
New Member
‎07-21-2016 04:47 AM

I am trying to make 2 reports based on a time frame from field data. The first search has to pick the data from 1 week ago and the second search needs to get the data within 5 and 10 days from the initial timestamp in the field

I achieved the first by using | where timeField>=relative_time(now(),"-1w") AND _time<=now()
This correctly gives me data from this point until 1 week ago

How do I alter the search to get data from within 5 and 10 days from the timestamp in timeField?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎07-21-2016 01:02 PM

Assuming you're talking about merging those two searches, give this a try

your base search [search your base search  | where timeField>=relative_time(now(),"-1w") AND _time<=now() | stats min(timeField) as timeField | eval earliest=relative_time(timeField,"-10d") | eval latest=relative_time(timeField,"-5d") | table earliest latest] | rest of the search

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎07-21-2016 01:02 PM

Assuming you're talking about merging those two searches, give this a try

your base search [search your base search  | where timeField>=relative_time(now(),"-1w") AND _time<=now() | stats min(timeField) as timeField | eval earliest=relative_time(timeField,"-10d") | eval latest=relative_time(timeField,"-5d") | table earliest latest] | rest of the search
0 Karma
Reply
Solved! Jump to solution

Sverblaauw
New Member
‎07-22-2016 06:27 AM

Sorry for the lack of description in my question. This is not 100% what I wanted but I was able to use most of your search to create what I wanted

0 Karma
Reply
Solved! Jump to solution

mydog8it
Builder
‎07-21-2016 12:51 PM

I'm not sure I understand your intent, but I have a set of searches that adjust _time several different ways. Perhaps you can find what you are looking for in them.
The set of searches looks back for the past 30 minutes for "DOT1X_State=unauthorized", dedups the results, uses stats to count up the results and rolls them into a report called "Last30". Then it looks back over the past 3 weeks and collects the data from the same 30 minute window of time into individual reports and manipulates _time for each of these reports so timechart will display them together.

index=AAAAAAA earliest=-30m@m latest=-0m@m sourcetype=BBBBBBB DOT1X_State=unauthorized
 | timechart span=30s count as TOTAL
 | eval ReportKey="Last30"
 | append [search index=AAAAAAA sourcetype=BBBBBBB DOT1X_State=unauthorized earliest=-10110m@m latest=-10080m@m
 | timechart span=30s count as TOT
 | eval ReportKey="1WkAgo"
 | eval _time=_time+604800]
 | append [search index=AAAAAAA sourcetype=BBBBBBB DOT1X_State=unauthorized earliest=-20190m@m latest=-20160m@m
 | timechart span=30s count as TOT 
 | eval ReportKey="2WksAgo"
 | eval _time=_time+1209600]
 | append [search index=AAAAAAA sourcetype=BBBBBBB DOT1X_State=unauthorized earliest=-30270m@m latest=-30240m@m
 | timechart span=30s count as TOT 
 | eval ReportKey="3WksAgo"
 | eval _time=_time+1814400 ]
 | timechart avg(TOT) as Three_week_average values(TOTAL) as The_previous_30_minutes

I hope you find a useful nugget in that.

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎07-21-2016 10:29 AM

Not sure I understand your requirement for the second search. Can you share some examples?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...