Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Setting a time range from field data

Sverblaauw
New Member
‎07-21-2016 04:47 AM

I am trying to make 2 reports based on a time frame from field data. The first search has to pick the data from 1 week ago and the second search needs to get the data within 5 and 10 days from the initial timestamp in the field

I achieved the first by using | where timeField>=relative_time(now(),"-1w") AND _time<=now()
This correctly gives me data from this point until 1 week ago

How do I alter the search to get data from within 5 and 10 days from the timestamp in timeField?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎07-21-2016 01:02 PM

Assuming you're talking about merging those two searches, give this a try

your base search [search your base search  | where timeField>=relative_time(now(),"-1w") AND _time<=now() | stats min(timeField) as timeField | eval earliest=relative_time(timeField,"-10d") | eval latest=relative_time(timeField,"-5d") | table earliest latest] | rest of the search

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎07-21-2016 01:02 PM

Assuming you're talking about merging those two searches, give this a try

your base search [search your base search  | where timeField>=relative_time(now(),"-1w") AND _time<=now() | stats min(timeField) as timeField | eval earliest=relative_time(timeField,"-10d") | eval latest=relative_time(timeField,"-5d") | table earliest latest] | rest of the search
0 Karma
Reply
Solved! Jump to solution

Sverblaauw
New Member
‎07-22-2016 06:27 AM

Sorry for the lack of description in my question. This is not 100% what I wanted but I was able to use most of your search to create what I wanted

0 Karma
Reply
Solved! Jump to solution

mydog8it
Builder
‎07-21-2016 12:51 PM

I'm not sure I understand your intent, but I have a set of searches that adjust _time several different ways. Perhaps you can find what you are looking for in them.
The set of searches looks back for the past 30 minutes for "DOT1X_State=unauthorized", dedups the results, uses stats to count up the results and rolls them into a report called "Last30". Then it looks back over the past 3 weeks and collects the data from the same 30 minute window of time into individual reports and manipulates _time for each of these reports so timechart will display them together.

index=AAAAAAA earliest=-30m@m latest=-0m@m sourcetype=BBBBBBB DOT1X_State=unauthorized
 | timechart span=30s count as TOTAL
 | eval ReportKey="Last30"
 | append [search index=AAAAAAA sourcetype=BBBBBBB DOT1X_State=unauthorized earliest=-10110m@m latest=-10080m@m
 | timechart span=30s count as TOT
 | eval ReportKey="1WkAgo"
 | eval _time=_time+604800]
 | append [search index=AAAAAAA sourcetype=BBBBBBB DOT1X_State=unauthorized earliest=-20190m@m latest=-20160m@m
 | timechart span=30s count as TOT 
 | eval ReportKey="2WksAgo"
 | eval _time=_time+1209600]
 | append [search index=AAAAAAA sourcetype=BBBBBBB DOT1X_State=unauthorized earliest=-30270m@m latest=-30240m@m
 | timechart span=30s count as TOT 
 | eval ReportKey="3WksAgo"
 | eval _time=_time+1814400 ]
 | timechart avg(TOT) as Three_week_average values(TOTAL) as The_previous_30_minutes

I hope you find a useful nugget in that.

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎07-21-2016 10:29 AM

Not sure I understand your requirement for the second search. Can you share some examples?

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...