I would like to get the value of a field from the same time every day (e.g. midday) over a 'long' time period (e.g. a month) That much is easy.
However is it possible, if that is missing, to get the value of a field from the 'closest' time available that day?
I don't much mind whether the closest is +- as long as I understand how its obtained.
vaijpc, I believe the following search would get you what you need.
Perform an initial query based on your time set as earliesttime and an appropriate + offset. The stats command will get the value closest to `earliesttime` going forward in time.
Join a secondary query based on your time set as latesttime and an appropriate - offset. The stats command will get the value closest to `latesttime` going back in time.
Compare the time difference between fields returned from each query and take
<field> to be the value based on the smaller offset from the desired time.
<your_search> earliest_time=-12h latest_time=-11h | stats first(field) as field1,first(_time) as time1 | eval timeDiff1=time1-(now()-43200) | join[search <your_search> earliest_time=-13h latest_time=-12h | stats last(field) as field,last(_time) as time2 | eval timeDiff2=(now()-43200)-time2] | eval field=if(timeDiff1<=timeDiff2,field1,field2)
I think I can see how this is going to work. The problem is that I want a final result of e.g. an entire year's midday values in one go. I don't think this search will give me that? I'll edit my question to make it clearer.
Sorry. No, this will not help you go get the entire year's midday values in one shot. I would recommend using a script which runs one search for each day and combines the results.
I guess a scheduled search and splunk/bin/fillsummaryindex.py could get the job done... not exactly the cleanest solution.