Solved: Is it possible to add a condition in this relative...

jip31 · ‎05-17-2022

hello

I count events in a single panel from a relative time like below

As you can see, I search only events between 7h and 20h 7 days ago

earliest=-7d@d+7h latest=-7d@d+20h

Now, I dont know if it is possible but I would like to add a condition in this relative time because even if I use the timepicker, the result count dont change

So I would like to count events only for the last 60 minutes during 7h and 20h for the 7 days ago

Is it possible?

Thanks

somesoni2 · ‎05-17-2022

Try this

earliest=-7d@h latest=-7d@h+60m

OR

earliest=-7d@h-60m latest=-7d@h

View solution in original post

ITWhisperer · ‎05-17-2022

What timeframe do you want at 06:30, 07:30, 19:30, and 20:30?

somesoni2 · ‎05-17-2022

Try this

earliest=-7d@h latest=-7d@h+60m

OR

earliest=-7d@h-60m latest=-7d@h

jip31 · ‎05-17-2022

thanks

so is not possible to specify also just between 7h and 19h?

something like this :

earliest=-7d@7h-60m latest=-7d@19h

somesoni2 · ‎05-17-2022

You're using inline timerange in search which overrides time-range picker, so that's why you see same count even after changing the time range picker value.

Your requirement is not that clear. Could you please provide example value using a sample date (e.g. if right now is 2022/05/17 2:00 PM what time range you want to search)?

jip31 · ‎05-17-2022

Hi

Considering right now it's 2022/05/17 2:00 PM, I need to count events 7 days ago and 60 m before the current time

And if it is possible between 7h and 19h

So in this case it will be 2022/05/10 1:00 PM

Is it possible to add a condition in this relative time? Even with timepicker the result count doesn't change

Other

Maximize the Value from Microsoft Defender with Splunk

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Reminder! Splunk Love Promo: $25 Visa Gift Card for Your Honest SOAR Review With ...