- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Time-Modifiers Search depending on the day
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi. Im using a Saved Search in a dashboard and cant manage to find if what i want to do is possible.
- I want my search to be from last friday 6PM to monday 8AM IF WE ARE MONDAY.
- I want my search to be from last day 6PM to this day 8AM THE OTHER DAYS.
The fact is when i start my day i want to see night events, and when its monday i want to see events of the week-end from friday 6PM to now.
Is it possible to do this with only one "search" ?
Today i use 2 searchs which are the same instead the time-modifiers:
For the week-end view:
- earliest_time = @w1-2d-6h
- latest_time = @w1+8h
For the night view:
- earliest_time = @d-6h
- latest_time = @d+8h
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you would like to search for one, How is such a feeling, for example, if I use the NOW ()?
(week=="1" is Monday)ex.
index=* [| stats count |eval week=strftime(now(),"%w") |eval earliest=if(week=="1","@w1-2d-6h","@d-6h") |eval latest=if(week=="1","@w1+8h","@d+8h")| return earliest latest]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
earliest=-3d@d+18h
| eval run_day=strftime(now(),"%A")
| eval today_midnight = strptime(strftime(now(),"%F"),"%s")
| eval mond_start = tonight_midnight - (86400 + 86400 + 21600)
| eval other_start = tonight_midnight - 21600
| eval stop = tonight_midnight + 28800
| eval start = if(run_day=="Monday",mond_start,other_start)
| where _time > start _time < stop
This ought to work, even though I have not tested it. Short breakdown;
line1: at most we will need to look back to 6PM 3 days ago
line2: find out if what day it is today, i.e. when we're running the search
line3: determine the epoch timestamp for midnight on the day the search is run
line4: define the epoch timestamp for 6PM three days ago
line5: define the epoch timestamp for 6PM yesterday
line6: define the epoch timestamp for 8AM today
line7: depending on todays weekday, define 'start' as 6PM three days ago, or 6PM yesterday
line8: restrict results based on _time
This could probably be shortened a bit, but for sake of simplicity there are a lot of evals.
Hope this helps,
K
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you would like to search for one, How is such a feeling, for example, if I use the NOW ()?
(week=="1" is Monday)ex.
index=* [| stats count |eval week=strftime(now(),"%w") |eval earliest=if(week=="1","@w1-2d-6h","@d-6h") |eval latest=if(week=="1","@w1+8h","@d+8h")| return earliest latest]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Best way will be for the weekdays, run it everyday at 8 AM till Saturday morning using cron-schedule
with
earliest_time = @d-6h
latest_time = @d+8h
And for the weekend you can do
earliest_time=-1w@w6-6h
latest_time=@w1+8h
New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...
Alerting Best Practices: How to Create Good Detectors
Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...
