Hello,
I need to get the daily Events count per week. till this I did using Query
index = * myBaseQuery |bucket _time span=day |stats count by _time | sort -count
But, there is some relative time which is happening, as per functionality and that relative time is stored in the variable finalRelDate
| eval relDate=relative_time(initialDate, "-1d@d")
| eval finalRelDate =strftime(relDate, "%F")
My query is, I have to bucket the results(event count) based on finalRelDate, which I am not getting.
Can anybody help on this!!
Thank you.
Aren't you looking for using the time modifiers something like -
earliest=-1w@w latest=@d index=_internal sourcetype=splunkd* |bucket _time span=day |stats count by _time | sort -count
Let me know if there is more to you ques and I havent got it .
@saitejagayala Did you try assigning finalRelDate to _time?
before bucket command try adding eval _time=finalRelDate
You can run your bucket and stats on relDate (while it's in epoch format).
index = * myBaseQuery | eval relDate=relative_time(initialDate, "-1d@d")|bucket relDate span=day |stats count by relDate | sort -count