I have a report that I'd like to create but I need to set the earliest clause based on the current day of the week. So for example. On Mondays I need to set earliest to -3d at 07:30:00 (So records from Friday @ 7:30am onward are captured). The rest of the days of the week I would like to set it to -1d at 07:30:00.
I have the logic figured out on how to determine the day of the week, but things go sideways on me when I specify the earliest clause.
I think what you may have to do is set earliest=-3d@d
and then add in the logistics to filter out based on the current day.
|eval filter=if(relative_time(now(),"%w")=1,relative_time(now(),"-3d@d+7h+30m"),relative_time(now(),"-1d@d+7h+30m"))|where _time>=filter
Try like this
index=foo sourcetype=bar [| gentimes start=-1 | eval earliest=if(lower(strftime(now(),"%a"))="mon",relative_time(now(),"-3d@d+7h+30m"),relative_time(now(),"-1d@d+7h+30m") | table earliest ] | rest of the search
I think what you may have to do is set earliest=-3d@d
and then add in the logistics to filter out based on the current day.
|eval filter=if(relative_time(now(),"%w")=1,relative_time(now(),"-3d@d+7h+30m"),relative_time(now(),"-1d@d+7h+30m"))|where _time>=filter
I think you are close.... I adapted what you wrote to the following....
index="my_index" | eval start=if( (strftime(Now(),"%a") == "Mon"), "-3d@d+7h+30m", "-10d@d+7h+30m") | eval r_time=relative_time(now(), start) | eval sr_time=strftime(r_time,"%m/%d/%Y:%X") | where _time >= r_time | table event_ID, _time, r_time
but now I seem to be getting everything.... Looking at _time and r_time they are of different formats...
_time = 2017-04-25 19:59:00
r_time = 1502022600.000000
Is that why??
_time is in epoch, but displays in human-readable. if you were to add |eval time=_time
it should display time as epoch, as well.
try changing strftime(now(),"%a")
, to relative_time(now(),"%a")
in your start eval
cmerriman... That seems to have done the trick!!
Thank you both!!
add this before where condition | eval r_time=strftime(r_time,"%Y-%m-%d %H:%M:%S)
Very strange. Now I've got nothing.... But the formats are matching..
....
to find current day of the week use like below
| eval DayOfWeek=strftime(_time, "%A")
Right. I have that part.... More specifically.....
| eval start=if( (strftime(Now(),"%a") == "Mon"), "-3d0", "-1d") | eval r_time=strftime(relative_time(now(), start),"%m/%d/%Y:07:30:00") | where earliest=r_time
However, it's not finding any results even thought I know they exist.