Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Get the previous day 8-9PM data based on the date selected in the query

SG
Path Finder
‎06-24-2021 12:30 AM

HI,

While running a query I am giving timings as below 

23-06-2021 01:00 to 23-06-2021 04:00 AM

The timings can change as per the requirement.

I wanted to prepare a comparison like if I am running below query for 23rd June, I should be able to get the data for the 23rd June and given timings and also need data for 22nd June (means the previous day) between 08:00 PM to 09:00 PM.

 

"LLT*" Status!=200 | stats  count by qname

 

This will give me the comparison with peak hour which is 08:00 PM to 09:00 PM.

Another example, if i am giving timings in the dashboard like 15th June from 10:00 AM to 11:00 AM, I should get data for 15th June and also 14th June 08:00 PM to 09:00 PM. The previous day is one day earlier than the date given in the dashboard and the timings of the previous day are constant all the time.

Can you please help me in writing this query?

Thanks,
SG

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-24-2021 04:55 AM

Assuming you are using a timepicker for selecting your time period, you can evaluate additional tokens in the change handler for the timepicker and use these tokens to set the earliest and latest times for your extra search

    <input type="time" token="timepicker" searchWhenChanged="true">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
      <change>
        <eval token="daybefore20">relative_time(relative_time(now(),$timepicker.earliest$),"-1d@d+20h")</eval>
        <eval token="daybefore21">relative_time(relative_time(now(),$timepicker.latest$),"-1d@d+21h")</eval>
      </change>
    </input>

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-24-2021 04:55 AM

Assuming you are using a timepicker for selecting your time period, you can evaluate additional tokens in the change handler for the timepicker and use these tokens to set the earliest and latest times for your extra search

    <input type="time" token="timepicker" searchWhenChanged="true">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
      <change>
        <eval token="daybefore20">relative_time(relative_time(now(),$timepicker.earliest$),"-1d@d+20h")</eval>
        <eval token="daybefore21">relative_time(relative_time(now(),$timepicker.latest$),"-1d@d+21h")</eval>
      </change>
    </input>
Reply
Get Updates on the Splunk Community!

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...