Filtering a weekly timewrap timechart by a specifi...

jbrenner · ‎03-20-2024

I have the following query that gives me week-over-week comparisons for the past month:

index="myIndex" earliest=-1mon "my query" | timechart count as Visits | timewrap w

I have added dropdowns to my dashboard to filter this data by a user-selected time window for every day in the one month range. The four dropdowns correspond to the start hour, start minute, end hour, and end minute of the time window in military time. For example, to filter the data by 6:30 AM - 1:21 PM each day, the tokens would have the following values:

$start_hour_token$: '6'
$start_minute_token$: '30' 
$end_hour_token$: '13' 
$end_minute_token$: '21'

How would I modify the original query to make ths work?

Thanks! Jonathan

bowesmana · ‎03-20-2024

Do you have the date_* fields in your data?

If so, you can do this

search... earliest=-1mon (date_hour>=$start_hour_token$ date_minute>=$start_minute_token$) (date_hour<$end_hour_token$ OR (date_hour=$end_hour_token$ date_minute<$end_minute_token$)))

If you don't have those fields extracted, then you will have to do an eval statement to create the date_hour and date_minute fields and then do a where clause to do the same comparison as above.

Filtering a weekly timewrap timechart by a specific time window each day.

timechart

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?