Hey,
This forum has been so very helpful... I really cannot thank the posters here enough!
However, I have a question I have not been able to find an answer to. I have a search that I am trying to gather statistics for the previous day, but only the previous weekday. So if today is Monday I want my search to reflect information from Friday. If it is Tuesday I wnat the search to reflect information from Monday.
So I am trying to essentially do something along the lines of:
"mysearch" earliest=if(strftime(now(), "%A")=="Monday", relative_time(now(),"@w5"), relative_time(now(),"-d@d") ) latest=if(strftime(now(), "%A")=="Monday", relative_time(now(), "@w6"), relative_time(now(),"@d")) | chart count by host
However, splunk does not like this syntax. Is there something I am missing or a simple way of doing this? Thank you very much for your help!!
Hey Steven,
Spent some time on this but i think i got it to work. Try this:
index=_internal [search index=_internal | head 1 | eval earliest=if(date_wday="monday", "-3d@d", "-1d@d") | eval latest=if(date_wday="monday", "-2d@d", "@d") | table earliest, latest | format "" "" "" "" "" ""]
if you are running the search on monday, it should go back and look at only the friday data. If you are running it on any other day, it will look at the previous day only.
Be careful however, this is not taking in consideration running this search on saturday or sunday. You could have a more nested if, for the earliest but that was too complicated and it didnt seem that you needed it anyway.
Let me know if this worked for ya.
Cheers,
.gz
Hey Steven,
Spent some time on this but i think i got it to work. Try this:
index=_internal [search index=_internal | head 1 | eval earliest=if(date_wday="monday", "-3d@d", "-1d@d") | eval latest=if(date_wday="monday", "-2d@d", "@d") | table earliest, latest | format "" "" "" "" "" ""]
if you are running the search on monday, it should go back and look at only the friday data. If you are running it on any other day, it will look at the previous day only.
Be careful however, this is not taking in consideration running this search on saturday or sunday. You could have a more nested if, for the earliest but that was too complicated and it didnt seem that you needed it anyway.
Let me know if this worked for ya.
Cheers,
.gz
Genti,
Thank you very, very much for spending the time to think through an answer. Definitely a cool solution to the problem! I really appreciate the help, resolved a big issue for me (my boss!)!
I have the same issue but I want to display the result on a table, I can't disable the selection of time -range automatically. How did you do it?
This is my search:
source="##" Return_Code="*" ServiceName="*" [search source="##" | head 1 | eval earliest=if(date_wday="monday", "-3d@d-4h", "-1d@d-4h") | eval latest=if(date_wday="monday", "@d-4h", "@d-4h") | table earliest, latest | format "" "" "" "" "" ""] | chart count by Return_Code, ServiceName
It doesn't work when It's Monday, I want the search from Friday at 8AM until Monday at 8AM and If it's another day, I want the search results to be from the -d at 8AM until the current day at 8AM.
Can you help me, Please?
clearly, you need to modify "index=_internal" to match