Splunk Search

Specify a day w/ a Token

clintla
Contributor

Just looking for a simple way to do this. 

I have an input token of how many days to look back where I want to just specify a full day with a days ago selection. 

| join type=outer name
[search daysago=60 enddaysago=59

works in a manual search when I just put in 60 & 59

But when I do a chart w/ an input panel

| join type=outer name
[search daysago=$day$ enddaysago=($day$-1)

I've tried an eval prior to the time

eval daybefore=$day$-1

and this doesnt work either. 

Seems like there should be a quick way to do this but just setting a token doesnt seem to be a place in the sourcecode where its allowed w/ a text input

Labels (1)
Tags (3)
0 Karma
1 Solution

clintla
Contributor

I'd tried the eval in the drill down w/o much luck but I found this

 

enddaysago=60 searchtimespandays=1

View solution in original post

0 Karma

ITWhisperer
Legend

Have you tried setting a second token in your input panel and use that?

0 Karma

clintla
Contributor

I'd tried the eval in the drill down w/o much luck but I found this

 

enddaysago=60 searchtimespandays=1

View solution in original post

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.