Hi. Im using a Saved Search in a dashboard and cant manage to find if what i want to do is possible.
The fact is when i start my day i want to see night events, and when its monday i want to see events of the week-end from friday 6PM to now.
Is it possible to do this with only one "search" ?
Today i use 2 searchs which are the same instead the time-modifiers:
For the week-end view:
For the night view:
Best way will be for the weekdays, run it everyday at 8 AM till Saturday morning using cron-schedule
earliesttime = @d-6h
latesttime = @d+8h
And for the weekend you can do
If you would like to search for one, How is such a feeling, for example, if I use the NOW ()?
(week=="1" is Monday)ex.
index=* [| stats count |eval week=strftime(now(),"%w") |eval earliest=if(week=="1","@w1-2d-6h","@d-6h") |eval latest=if(week=="1","@w1+8h","@d+8h")| return earliest latest]
earliest=-3d@d+18h | eval run_day=strftime(now(),"%A") | eval today_midnight = strptime(strftime(now(),"%F"),"%s") | eval mond_start = tonight_midnight - (86400 + 86400 + 21600) | eval other_start = tonight_midnight - 21600 | eval stop = tonight_midnight + 28800 | eval start = if(run_day=="Monday",mond_start,other_start) | where _time > start _time < stop
This ought to work, even though I have not tested it. Short breakdown;
line1: at most we will need to look back to 6PM 3 days ago
line2: find out if what day it is today, i.e. when we're running the search
line3: determine the epoch timestamp for midnight on the day the search is run
line4: define the epoch timestamp for 6PM three days ago
line5: define the epoch timestamp for 6PM yesterday
line6: define the epoch timestamp for 8AM today
line7: depending on todays weekday, define 'start' as 6PM three days ago, or 6PM yesterday
line8: restrict results based on
This could probably be shortened a bit, but for sake of simplicity there are a lot of
Hope this helps,