Splunk Search

Get the previous day 8-9PM data based on the date selected in the query

SG
Path Finder

HI,

While running a query I am giving timings as below 

23-06-2021 01:00 to 23-06-2021 04:00 AM

The timings can change as per the requirement.

I wanted to prepare a comparison like if I am running below query for 23rd June, I should be able to get the data for the 23rd June and given timings and also need data for 22nd June (means the previous day) between 08:00 PM to 09:00 PM.

 

"LLT*" Status!=200 | stats  count by qname

 

This will give me the comparison with peak hour which is 08:00 PM to 09:00 PM.

Another example, if i am giving timings in the dashboard like 15th June from 10:00 AM to 11:00 AM, I should get data for 15th June and also 14th June 08:00 PM to 09:00 PM. The previous day is one day earlier than the date given in the dashboard and the timings of the previous day are constant all the time.

Can you please help me in writing this query?

Thanks,
SG

Labels (1)
Tags (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Assuming you are using a timepicker for selecting your time period, you can evaluate additional tokens in the change handler for the timepicker and use these tokens to set the earliest and latest times for your extra search

    <input type="time" token="timepicker" searchWhenChanged="true">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
      <change>
        <eval token="daybefore20">relative_time(relative_time(now(),$timepicker.earliest$),"-1d@d+20h")</eval>
        <eval token="daybefore21">relative_time(relative_time(now(),$timepicker.latest$),"-1d@d+21h")</eval>
      </change>
    </input>

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

Assuming you are using a timepicker for selecting your time period, you can evaluate additional tokens in the change handler for the timepicker and use these tokens to set the earliest and latest times for your extra search

    <input type="time" token="timepicker" searchWhenChanged="true">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
      <change>
        <eval token="daybefore20">relative_time(relative_time(now(),$timepicker.earliest$),"-1d@d+20h")</eval>
        <eval token="daybefore21">relative_time(relative_time(now(),$timepicker.latest$),"-1d@d+21h")</eval>
      </change>
    </input>
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...