Solved: Re: How to set latest to be relative to earliest +...

amylala · ‎11-12-2015

How to set latest = earliest + 1h ?

The reason I ask this question is because I want to add drilldown function into a column time chart. Time span of the chart is 1h.
I can get the time of a selected column, which I will use as the earliest time. And I want to set latest to be + one hour from earliest.

Or it would be great if anyone can tell me how to get the time range of a selected column.

woodcock · ‎11-12-2015

With relative_time and map, like this (run anywhere example):

| noop | stats count AS latest | eval earliest=relative_time(now(), "-1d@d") | eval latest=earliest+3600 | map search="search earliest=$earliest$ latest=$latest$ index=_internal"

Just replace index=_internal with your search.

View solution in original post

woodcock · ‎11-12-2015

With relative_time and map, like this (run anywhere example):

| noop | stats count AS latest | eval earliest=relative_time(now(), "-1d@d") | eval latest=earliest+3600 | map search="search earliest=$earliest$ latest=$latest$ index=_internal"

Just replace index=_internal with your search.

amylala · ‎11-30-2015

      <link> 
        <![CDATA[ 
         /app/search/search?q=search index=app .. earliest=$earliest$ latest=$latest$ 
         ]]> 
       </link>

Thanks, woodcock. I can drill down to clicked time range with above query. No need to add internal for latest.

woodcock · ‎12-01-2015

OK, be sure to click "Accept" to close the question.

How to set latest to be relative to earliest + 1h?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life