Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Set earliest and latest using a variable depending on the current day

sweetlile
Explorer
‎09-26-2016 02:55 AM

Hey,
I want to display the results on a table. it works depending on the timeRange picker when I want it to display results depending on my eval function!!
This is my search:

source="##" RC="*"  SN="*" [search source="##" | head 1 | eval earliest=if(date_wday="monday", "-3d@d-4h", "-1d@d-4h") | eval latest=if(date_wday="monday", "@d-4h", "@d-4h") | table earliest, latest | format "" "" "" "" "" ""] | chart count by  RC, SN

It doesn't work when It's Monday, I want the search from Friday at 8AM until Monday at 8AM and If it's another day, I want the search results to be from the -d at 8AM until the current day at 8AM.
Can you help me, Please?

0 Karma
Reply

somesoni2
Revered Legend
‎09-26-2016 06:56 AM

Try like this. This will change the earliest and latest (time range) based on today.

 source="##" RC="*"  SN="*" [| gentimes start=-1 | eval earliest=if(lower(strftime(now(),"%A"))="monday", "-3d@d-4h", "-1d@d-4h") | eval latest="@d-4h" | table earliest, latest | format "" "" "" "" "" ""] | chart count by  RC, SN
0 Karma
Reply

sweetlile
Explorer
‎09-26-2016 07:48 AM

Sorry it doen't work I don't know why,
this is what I used as a solution:

source="##" RC="*"  SN="*" [search source="##" | head 1 | eval date_wday = strftime(_time, "%A") |eval earliest=if(date_wday="Monday", "-3d@d+8h", "-1d@d+8h") | eval latest=if(date_wday="Monday", "@d+8h", "@d+8h") | table earliest, latest | format "" "" "" "" "" ""] | chart count over RC by SN
0 Karma
Reply

somesoni2
Revered Legend
‎09-26-2016 08:10 AM

I can see you've changed the earliest and latest calculation, from the one mentioned in the question. Give this a try now..

source="##" RC="*"  SN="*" [| gentimes start=-1 | eval earliest=if(lower(strftime(now(),"%A"))="monday", "-3d@d+8h", "-1d@d+8h") | eval latest=if(lower(strftime(now(),"%A"))="monday",  "@d+8h", "@d+8h")   | table earliest, latest | format "" "" "" "" "" ""] | chart count by  RC, SN
0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...