Getting Data In

Default Start Timerange from 10am

Melstrathdee
Path Finder

I am working on a wall board dashboard regarding incidents created from 10am till now. So if it is before 10am I want to return results from 10am yesterday. If it is after 10am today then I want results from 10am today.

I found the syntax for for getting all the results for the beginning of the current week

earliest=@w0

I was hoping there might be something similar like

earliest=@h10

Any suggestions?

0 Karma
1 Solution

Melstrathdee
Path Finder

I found the solution:

Logic:

  • a "normal day" is 10am till 10am each day.
  • So if it is before 10am - the time range will be 10am the previous day till the current time.
  • If it is after 10am then the time will from 10am today till now.

Date Time Calculation:

  • we run a base search with the id of DatePicker
  • To do this we calculate the current time and set the hnow to be the current hour.
  • Then we run an if statement to set the earliest time variable based on if it is before 10am
  • when the search is done we set the earliest time range token.



    | makeresults | head 1 | eval hnow = strftime(now(), "%H")
    | fields hnow
    | eval x=if(hnow > 9,"@d+10h","-1d@d+10h")

    -1m
    now
    1m

    $result.x$

Hope this helps someone else.

View solution in original post

0 Karma

Melstrathdee
Path Finder

I found the solution:

Logic:

  • a "normal day" is 10am till 10am each day.
  • So if it is before 10am - the time range will be 10am the previous day till the current time.
  • If it is after 10am then the time will from 10am today till now.

Date Time Calculation:

  • we run a base search with the id of DatePicker
  • To do this we calculate the current time and set the hnow to be the current hour.
  • Then we run an if statement to set the earliest time variable based on if it is before 10am
  • when the search is done we set the earliest time range token.



    | makeresults | head 1 | eval hnow = strftime(now(), "%H")
    | fields hnow
    | eval x=if(hnow > 9,"@d+10h","-1d@d+10h")

    -1m
    now
    1m

    $result.x$

Hope this helps someone else.

0 Karma

nabeel652
Builder

use

earliest = @d+10h

For events after 10am today

0 Karma

Melstrathdee
Path Finder

Thanks nabell652 we are on the same page I'm currently using but it only works for events when I'm looking at the dashboard between 10am and midnight.

I also need to cover midnight to 9:59.

0 Karma

nabeel652
Builder

if it is in a different search you can use

earliest=@d latest=@d+10h

And for 10am till now

earliest=@d+10h latest=now

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...