Splunk Search
Highlighted

## How to edit my search to find results from 7 days from yesterday in relative_time?

Path Finder

Hi All,

This give me value by subtracting 7 days from now

``````|stats count | eval next_time=relative_time(now(),"-7d@d")| convert ctime(*_time)
``````

I am actually want 7 days starting from yesterday and used the below one and its not giving me any value.

``````|stats count | eval next_time=relative_time("-1d@d","-7d@d")| convert ctime(*_time)
``````

Please let me know, how this can be achieved.

Tags (3)
Highlighted

## Re: How to edit my search to find results from 7 days from yesterday in relative_time?

Motivator

7 days from yesterday will be `|stats count | eval next_time=relative_time(now(),"-8d@d")| convert ctime(*_time)`

Additional information on this, Try `| addinfo` may help you.

Search time frame: Last 1 hr (change based on your requirement)

``````|stats count | addinfo | eval earliest=relative_time(info_max_time,"-7d@d") | eval latest=relative_time(info_max_time,"-1d@d") | eval next_time=relative_time("-1d@d","-7d@d") | convert ctime(info_max_time) as info_max_time, ctime(info_min_time) as info_min_time , ctime(earliest) ctime(latest)
``````

Description, `| addinfo` Provides the details about the search like infomaxtime, infomintime, Taking infomaxtime and use relative time to move the earliest to 7 days (any relative time `7d@d` based on your requirement). Used the same infomaxtime field to calculate the yesterday (-1d@d) .

Definition of relative_time function ,

relative_time(X,Y)
This function takes an epochtime time, X, as the first argument and a relative time specifier, Y, as the second argument and returns the epochtime value of Y applied to X.

Example, `... | eval n=relative_time(now(), "-1d@d")`

Highlighted

## Re: How to edit my search to find results from 7 days from yesterday in relative_time?

Path Finder

Thanks this helps, however, I have new challenge here. Basically my query looks like this

index="data" |eval period=if(time>=relativetime(now(),"-8d@d"),strftime(relativetime(time,"@w7"),"%m/%d"),strftime(relativetime(time,"-@w7"),"%m/%d")) |search period!=NULL | chart count over app_name by period | sort 10 -period.

I am not able to bring up the top 10 values using above query, can you guys let me know.

## Re: How to edit my search to find results from 7 days from yesterday in relative_time?

Esteemed Legend

Change the stuff after the last `|` to this:

``````| top 10 app_name by period
``````
Highlighted

## Re: How to edit my search to find results from 7 days from yesterday in relative_time?

Path Finder

Thanks, this didn't help

Highlighted

## Re: How to edit my search to find results from 7 days from yesterday in relative_time?

SplunkTrust

This is how your final output like before sort:-

``````appname, sundaylastweek, sundaythisweek
appname1, count ,count...
.....
``````

So, you get two columns with count, which one you want to use to sort/get top 10 values?

Highlighted

## Re: How to edit my search to find results from 7 days from yesterday in relative_time?

Path Finder

Thanks somesoni2, I want to sort appname1,count,count...

Highlighted

## Re: How to edit my search to find results from 7 days from yesterday in relative_time?

Esteemed Legend

I am completely confused but that's not the worst part; every update makes me more confused!

Highlighted

Splunk Employee