Splunk Search

Variable earliest and latest?

stevensa
Explorer

Hey,

This forum has been so very helpful... I really cannot thank the posters here enough!

However, I have a question I have not been able to find an answer to. I have a search that I am trying to gather statistics for the previous day, but only the previous weekday. So if today is Monday I want my search to reflect information from Friday. If it is Tuesday I wnat the search to reflect information from Monday.

So I am trying to essentially do something along the lines of:

"mysearch" earliest=if(strftime(now(), "%A")=="Monday", relative_time(now(),"@w5"), relative_time(now(),"-d@d") )  latest=if(strftime(now(), "%A")=="Monday", relative_time(now(), "@w6"), relative_time(now(),"@d")) | chart count by host

However, splunk does not like this syntax. Is there something I am missing or a simple way of doing this? Thank you very much for your help!!

Tags (3)
1 Solution

Genti
Splunk Employee
Splunk Employee

Hey Steven,

Spent some time on this but i think i got it to work. Try this:

index=_internal [search index=_internal | head 1 | eval earliest=if(date_wday="monday", "-3d@d", "-1d@d") | eval latest=if(date_wday="monday", "-2d@d", "@d") | table earliest, latest | format "" "" "" "" "" ""] 

if you are running the search on monday, it should go back and look at only the friday data. If you are running it on any other day, it will look at the previous day only.

Be careful however, this is not taking in consideration running this search on saturday or sunday. You could have a more nested if, for the earliest but that was too complicated and it didnt seem that you needed it anyway.

Let me know if this worked for ya.
Cheers,
.gz

View solution in original post

Genti
Splunk Employee
Splunk Employee

Hey Steven,

Spent some time on this but i think i got it to work. Try this:

index=_internal [search index=_internal | head 1 | eval earliest=if(date_wday="monday", "-3d@d", "-1d@d") | eval latest=if(date_wday="monday", "-2d@d", "@d") | table earliest, latest | format "" "" "" "" "" ""] 

if you are running the search on monday, it should go back and look at only the friday data. If you are running it on any other day, it will look at the previous day only.

Be careful however, this is not taking in consideration running this search on saturday or sunday. You could have a more nested if, for the earliest but that was too complicated and it didnt seem that you needed it anyway.

Let me know if this worked for ya.
Cheers,
.gz

stevensa
Explorer

Genti,
Thank you very, very much for spending the time to think through an answer. Definitely a cool solution to the problem! I really appreciate the help, resolved a big issue for me (my boss!)!

0 Karma

sweetlile
Explorer

I have the same issue but I want to display the result on a table, I can't disable the selection of time -range automatically. How did you do it?
This is my search:

source="##" Return_Code="*"  ServiceName="*" [search source="##" | head 1 | eval earliest=if(date_wday="monday", "-3d@d-4h", "-1d@d-4h") | eval latest=if(date_wday="monday", "@d-4h", "@d-4h") | table earliest, latest | format "" "" "" "" "" ""] | chart count by  Return_Code, ServiceName

It doesn't work when It's Monday, I want the search from Friday at 8AM until Monday at 8AM and If it's another day, I want the search results to be from the -d at 8AM until the current day at 8AM.
Can you help me, Please?

0 Karma

Genti
Splunk Employee
Splunk Employee

clearly, you need to modify "index=_internal" to match on both the search and the subsearch..

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...