I am working on a wall board dashboard regarding incidents created from 10am till now. So if it is before 10am I want to return results from 10am yesterday. If it is after 10am today then I want results from 10am today.
I found the syntax for for getting all the results for the beginning of the current week
earliest=@w0
I was hoping there might be something similar like
earliest=@h10
Any suggestions?
I found the solution:
Logic:
Date Time Calculation:
when the search is done we set the earliest time range token.
| makeresults | head 1 | eval hnow = strftime(now(), "%H")
| fields hnow
| eval x=if(hnow > 9,"@d+10h","-1d@d+10h")
Hope this helps someone else.
I found the solution:
Logic:
Date Time Calculation:
when the search is done we set the earliest time range token.
| makeresults | head 1 | eval hnow = strftime(now(), "%H")
| fields hnow
| eval x=if(hnow > 9,"@d+10h","-1d@d+10h")
Hope this helps someone else.
use
earliest = @d+10h
For events after 10am today
Thanks nabell652 we are on the same page I'm currently using but it only works for events when I'm looking at the dashboard between 10am and midnight.
I also need to cover midnight to 9:59.
if it is in a different search you can use
earliest=@d latest=@d+10h
And for 10am till now
earliest=@d+10h latest=now