Hello everyone,
i have this search that uses time range picker and my specific time range is 01/07/2018 to 01/13/2018, and i have a subsearch that time range should be equivalent to the past 4 weeks in my first search query which should be 12/10/2017 to 01/06/2018 .
my problem is i don't know how to get those values and use it in my subsearch's time range (earlist and latest) .
this is PART of my query, please provide me some example on how to solve this problem.
index="lrt_raw" DEVICE_ID=T*
|dedup _raw
|stats sum(TXN_AMT) as "SJT" by date_wday
|join type=inner date_wday [search index=rms report_id=0153A earliest=-28d@d latest=-8d@m
@ygdrassil, please try the the following run anywhere dashboard which uses a dummy search to pick the selected Time input's Earliest Time using predefined search token $job.earliestTime$
(in string time format) and uses <eval>
with relative_time
and strptime
to get earliest time ($subSearchEarliest$
) for sub search as the current day 4 weeks ago -4w@d
(if you need start of week 4 weeks ago it would be -4w@0w
) and for latest time ($subSearchLatest$
) select previous day based on earliest time using -1d@d
. Please try the run anywhere dashboard and confirm.
<form>
<label>Time for subsearch from same timepicker</label>
<search>
<query>| makeresults
</query>
<earliest>$tokTime.earliest$</earliest>
<latest>$tokTime.latest$</latest>
<progress>
<eval token="subSearchEarliest">relative_time(strptime($job.earliestTime$,"%Y/%m/%dT%H:%M:%S"),"-4w@w0")</eval>
<eval token="subSearchLatest">relative_time(strptime($job.earliestTime$,"%Y/%m/%dT%H:%M:%S"),"-1d@d")</eval>
</progress>
</search>
<fieldset submitButton="false">
<input type="time" token="tokTime" searchWhenChanged="true">
<label></label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>index=_internal sourcetype=splunkd earliest=$subSearchEarliest$ latest="$subSearchLatest$"
| stats count by log_level
| append [|makeresults| fields - _time| eval log_level="INFO",count=0]
| dedup log_level
| eval subSearchEarliestTime=strftime($subSearchEarliest$,"%Y/%m/%d %H:%M:%S"), subLatestTime=strftime($subSearchLatest$,"%Y/%m/%d %H:%M:%S")</query>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">0</option>
</table>
</panel>
</row>
</form>
PS: Commands | append [|makeresults| fields - _time| eval log_level="INFO",count=0] | dedup log_level
have been added to return at least one row for the demo query to run in case there is no data in _internal index from 4 weeks ago.
Can you try using epoch time. Also in time picker select all time so it will not affect you custom query time:
index="lrt_raw" DEVICE_ID=T*
earliest=1515263400 latest=1515868200
|dedup _raw
|stats sum(TXN_AMT) as "SJT" by date_wday
|join type=inner date_wday [search index=rms report_id=0153A earliest=1507746600 latest= 1515263399]