Splunk Search
Highlighted

How to edit my search to find results from 7 days from yesterday in relative_time?

Path Finder

Hi All,

This give me value by subtracting 7 days from now

|stats count | eval next_time=relative_time(now(),"-7d@d")| convert ctime(*_time)

I am actually want 7 days starting from yesterday and used the below one and its not giving me any value.

|stats count | eval next_time=relative_time("-1d@d","-7d@d")| convert ctime(*_time)

Please let me know, how this can be achieved.

Tags (3)
Highlighted

Re: How to edit my search to find results from 7 days from yesterday in relative_time?

Motivator

7 days from yesterday will be |stats count | eval next_time=relative_time(now(),"-8d@d")| convert ctime(*_time)

Search time frame: Last 1 hr (change based on your requirement)

|stats count | addinfo | eval earliest=relative_time(info_max_time,"-7d@d") | eval latest=relative_time(info_max_time,"-1d@d") | eval next_time=relative_time("-1d@d","-7d@d") | convert ctime(info_max_time) as info_max_time, ctime(info_min_time) as info_min_time , ctime(earliest) ctime(latest)

Description, | addinfo Provides the details about the search like infomaxtime, infomintime, Taking infomaxtime and use relative time to move the earliest to 7 days (any relative time 7d@d based on your requirement). Used the same infomaxtime field to calculate the yesterday (-1d@d) .

Definition of relative_time function ,

relative_time(X,Y)
This function takes an epochtime time, X, as the first argument and a relative time specifier, Y, as the second argument and returns the epochtime value of Y applied to X.

Example, ... | eval n=relative_time(now(), "-1d@d")

Highlighted

Re: How to edit my search to find results from 7 days from yesterday in relative_time?

Path Finder

Thanks this helps, however, I have new challenge here. Basically my query looks like this

index="data" |eval period=if(time>=relativetime(now(),"-8d@d"),strftime(relativetime(time,"@w7"),"%m/%d"),strftime(relativetime(time,"-@w7"),"%m/%d")) |search period!=NULL | chart count over app_name by period | sort 10 -period.

I am not able to bring up the top 10 values using above query, can you guys let me know.

Highlighted

Re: How to edit my search to find results from 7 days from yesterday in relative_time?

Esteemed Legend

Change the stuff after the last | to this:

| top 10 app_name by period
Highlighted

Re: How to edit my search to find results from 7 days from yesterday in relative_time?

Path Finder

Thanks, this didn't help

Re: How to edit my search to find results from 7 days from yesterday in relative_time?

SplunkTrust

This is how your final output like before sort:-

appname, sundaylastweek, sundaythisweek
appname1, count ,count...
.....

So, you get two columns with count, which one you want to use to sort/get top 10 values?

Highlighted

Re: How to edit my search to find results from 7 days from yesterday in relative_time?

Path Finder

Thanks somesoni2, I want to sort appname1,count,count...

Highlighted

Re: How to edit my search to find results from 7 days from yesterday in relative_time?

Esteemed Legend

I am completely confused but that's not the worst part; every update makes me more confused!

Highlighted

Splunk Employee