Splunk Search
Highlighted

Variable earliest and latest?

Explorer

Hey,

This forum has been so very helpful... I really cannot thank the posters here enough!

However, I have a question I have not been able to find an answer to. I have a search that I am trying to gather statistics for the previous day, but only the previous weekday. So if today is Monday I want my search to reflect information from Friday. If it is Tuesday I wnat the search to reflect information from Monday.

So I am trying to essentially do something along the lines of:

"mysearch" earliest=if(strftime(now(), "%A")=="Monday", relative_time(now(),"@w5"), relative_time(now(),"-d@d") )  latest=if(strftime(now(), "%A")=="Monday", relative_time(now(), "@w6"), relative_time(now(),"@d")) | chart count by host

However, splunk does not like this syntax. Is there something I am missing or a simple way of doing this? Thank you very much for your help!!

Tags (3)
Highlighted

Re: Variable earliest and latest?

Splunk Employee
Splunk Employee

Hey Steven,

Spent some time on this but i think i got it to work. Try this:

index=_internal [search index=_internal | head 1 | eval earliest=if(date_wday="monday", "-3d@d", "-1d@d") | eval latest=if(date_wday="monday", "-2d@d", "@d") | table earliest, latest | format "" "" "" "" "" ""] 

if you are running the search on monday, it should go back and look at only the friday data. If you are running it on any other day, it will look at the previous day only.

Be careful however, this is not taking in consideration running this search on saturday or sunday. You could have a more nested if, for the earliest but that was too complicated and it didnt seem that you needed it anyway.

Let me know if this worked for ya.
Cheers,
.gz

View solution in original post

Highlighted

Re: Variable earliest and latest?

Splunk Employee
Splunk Employee

clearly, you need to modify "index=_internal" to match on both the search and the subsearch..

0 Karma
Highlighted

Re: Variable earliest and latest?

Explorer

Genti,
Thank you very, very much for spending the time to think through an answer. Definitely a cool solution to the problem! I really appreciate the help, resolved a big issue for me (my boss!)!

0 Karma
Highlighted

Re: Variable earliest and latest?

Explorer

I have the same issue but I want to display the result on a table, I can't disable the selection of time -range automatically. How did you do it?
This is my search:

source="##" Return_Code="*"  ServiceName="*" [search source="##" | head 1 | eval earliest=if(date_wday="monday", "-3d@d-4h", "-1d@d-4h") | eval latest=if(date_wday="monday", "@d-4h", "@d-4h") | table earliest, latest | format "" "" "" "" "" ""] | chart count by  Return_Code, ServiceName

It doesn't work when It's Monday, I want the search from Friday at 8AM until Monday at 8AM and If it's another day, I want the search results to be from the -d at 8AM until the current day at 8AM.
Can you help me, Please?

0 Karma