Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Use events where _time= "Yesterday" or _time="Yesterday - 1Week"

HeinzWaescher
Motivator
‎02-12-2014 02:56 AM

Hi,

I want to tell a Splunksearch just to use events with a _time "yesterday" and "yesterday - 1week" in the search. So when I would start this search now, it should use the events where _time= 11/02/2014 or _time=04/02/2014.
In the timerangepicker it doesn't seem to be possible to define something like this. How can I achieve it in the search?

BR

Heinz

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-12-2014 04:55 AM

According to the Module Reference (http://docs.splunk.com/Documentation/Splunk/6.0.1/AdvancedDev/ModuleReference), TimeRangePicker uses values specified in the times.conf file. My times.conf file has the following definitions:

[yesterday]
label = Yesterday
earliest_time = -1d@d
latest_time = @d
order = 200
sub_menu = Other

[previous_week]
label = Previous week
header_label = in the previous week
earliest_time = -7d@w0
latest_time = @w0
order = 210
sub_menu = Other

Perhaps you can add these to your times.conf file.

---
If this reply helps you, Karma would be appreciated.
Reply

HeinzWaescher
Motivator
‎02-13-2014 02:35 AM

Thanks a lot, I will have a closer look at both suggestions!

0 Karma
Reply

Ayn
Legend
‎02-12-2014 04:48 AM

Apps are bundles of configurations just like what you already have in your system. They're just as likely/unlikely to break anything as all currently existing stuff. 🙂

Reply

gfuente
Motivator
‎02-12-2014 04:11 AM

You can use custom commands everywhere if you set them as global, so they can be used in existing reports/searches. I don´t think they will break anything, in the worst case you can just uninstall (delete) the app, and revert the changes.

Reply

HeinzWaescher
Motivator
‎02-12-2014 03:36 AM

And installing the app means that I can only use the comamnd in this app? So timewrap can't be used in existing reports?

0 Karma
Reply

HeinzWaescher
Motivator
‎02-12-2014 03:30 AM

Yes, in the end I want to achieve something like this.
I haven't used apps before...Is there any risk to crash parts of the splunk configuration when installing apps?

0 Karma
Reply

Ayn
Legend
‎02-12-2014 03:10 AM

Not exactly an answer to the question, but if you're after this because you want to compare week-by-week results you might be interested in the Timewrap app which adds the "timewrap" command: http://apps.splunk.com/app/1645/

Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...