This give me value by subtracting 7 days from now
|stats count | eval next_time=relative_time(now(),"-7d@d")| convert ctime(*_time)
I am actually want 7 days starting from yesterday and used the below one and its not giving me any value.
|stats count | eval next_time=relative_time("-1d@d","-7d@d")| convert ctime(*_time)
Please let me know, how this can be achieved.
7 days from yesterday will be
|stats count | eval next_time=relative_time(now(),"-8d@d")| convert ctime(*_time)
Additional information on this, Try
| addinfo may help you.
Search time frame: Last 1 hr (change based on your requirement)
|stats count | addinfo | eval earliest=relative_time(info_max_time,"-7d@d") | eval latest=relative_time(info_max_time,"-1d@d") | eval next_time=relative_time("-1d@d","-7d@d") | convert ctime(info_max_time) as info_max_time, ctime(info_min_time) as info_min_time , ctime(earliest) ctime(latest)
| addinfo Provides the details about the search like info_max_time, info_min_time, Taking info_max_time and use relative time to move the earliest to 7 days (any relative time
7d@d based on your requirement). Used the same info_max_time field to calculate the yesterday (-1d@d) .
Definition of relative_time function ,
This function takes an epochtime time, X, as the first argument and a relative time specifier, Y, as the second argument and returns the epochtime value of Y applied to X.
... | eval n=relative_time(now(), "-1d@d")
Thanks this helps, however, I have new challenge here. Basically my query looks like this
index="data" |eval period=if(_time>=relative_time(now(),"-8d@d"),strftime(relative_time(_time,"@w7"),"%m/%d"),strftime(relative_time(_time,"-@w7"),"%m/%d")) |search period!=NULL | chart count over app_name by period | sort 10 -period.
I am not able to bring up the top 10 values using above query, can you guys let me know.
@smaran06 - Did the answer provided by vasanthmss help provide a working solution to your original question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with additonal feedback. Thank you.
This is how your final output like before sort:-
appname, sundaylastweek, sundaythisweek appname1, count ,count... .....
So, you get two columns with count, which one you want to use to sort/get top 10 values?