Splunk Search

Specify a day w/ a Token

clintla
Contributor

Just looking for a simple way to do this. 

I have an input token of how many days to look back where I want to just specify a full day with a days ago selection. 

| join type=outer name
[search daysago=60 enddaysago=59

works in a manual search when I just put in 60 & 59

But when I do a chart w/ an input panel

| join type=outer name
[search daysago=$day$ enddaysago=($day$-1)

I've tried an eval prior to the time

eval daybefore=$day$-1

and this doesnt work either. 

Seems like there should be a quick way to do this but just setting a token doesnt seem to be a place in the sourcecode where its allowed w/ a text input

Labels (1)
Tags (3)
0 Karma
1 Solution

clintla
Contributor

I'd tried the eval in the drill down w/o much luck but I found this

 

enddaysago=60 searchtimespandays=1

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Have you tried setting a second token in your input panel and use that?

0 Karma

clintla
Contributor

I'd tried the eval in the drill down w/o much luck but I found this

 

enddaysago=60 searchtimespandays=1

0 Karma
Get Updates on the Splunk Community!

Splunk APM & RUM | Upcoming Planned Maintenance

There will be planned maintenance of the streaming infrastructure for Splunk APM and Splunk RUM in the coming ...

Part 2: Diving Deeper With AIOps

Getting the Most Out of Event Correlation and Alert Storm Detection in Splunk IT Service Intelligence   Watch ...

User Groups | Upcoming Events!

If by chance you weren't already aware, the Splunk Community is host to numerous User Groups, organized ...