I have a report that I'd like to create but I need to set the earliest clause based on the current day of the week. So for example. On Mondays I need to set earliest to -3d at 07:30:00 (So records from Friday @ 7:30am onward are captured). The rest of the days of the week I would like to set it to -1d at 07:30:00.
I have the logic figured out on how to determine the day of the week, but things go sideways on me when I specify the earliest clause.
to find current day of the week use like below
| eval DayOfWeek=strftime(_time, "%A")
Right. I have that part.... More specifically.....
| eval start=if( (strftime(Now(),"%a") == "Mon"), "-3d0", "-1d") | eval rtime=strftime(relativetime(now(), start),"%m/%d/%Y:07:30:00") | where earliest=r_time
However, it's not finding any results even thought I know they exist.
I think what you may have to do is set
earliest=-3d@d and then add in the logistics to filter out based on the current day.
|eval filter=if(relative_time(now(),"%w")=1,relative_time(now(),"-3d@d+7h+30m"),relative_time(now(),"-1d@d+7h+30m"))|where _time>=filter
I think you are close.... I adapted what you wrote to the following....
index="myindex" | eval start=if( (strftime(Now(),"%a") == "Mon"), "-3d@d+7h+30m", "-10d@d+7h+30m") | eval rtime=relativetime(now(), start) | eval srtime=strftime(rtime,"%m/%d/%Y:%X") | where _time >= rtime | table eventID, _time, rtime
but now I seem to be getting everything.... Looking at time and rtime they are of different formats...
time = 2017-04-25 19:59:00
rtime = 1502022600.000000
Is that why??
add this before where condition | eval rtime=strftime(rtime,"%Y-%m-%d %H:%M:%S)
Very strange. Now I've got nothing.... But the formats are matching..
time is in epoch, but displays in human-readable. if you were to add `|eval time=time
it should display time as epoch, as well.strftime(now(),"%a")
, torelative_time(now(),"%a")` in your start eval
cmerriman... That seems to have done the trick!!
Thank you both!!
Try like this
index=foo sourcetype=bar [| gentimes start=-1 | eval earliest=if(lower(strftime(now(),"%a"))="mon",relative_time(now(),"-3d@d+7h+30m"),relative_time(now(),"-1d@d+7h+30m") | table earliest ] | rest of the search