I have a little problem with the filtering date, I need a way to filter my dashboard so as to have the informations about the last week always starting on the first day of the week Monday even if we're wednesday,
For example :
If its Wednesday ; it's displays informations from the last Monday until Wednesay .
Thank you for your help .
@taha13, you must first read and understand Time Modifiers and Snap To syntax from Splunk Documentation: https://docs.splunk.com/Documentation/Splunk/latest/Search/Specifytimemodifiersinyoursearch
Please try the following run anywhere dashboard. Based on the current week day it sets the following two time ranges:
If current Week Day is
Mon, Tue or, it sets the earliest time as
Previous Week @ Monday
and latest time as
Week @ Sunday
Else if the current Week Day is
Thu,, it sets the
Fri, Sat or Sun
earliest time as
Previous Week @ Monday and latest
Current Week @.
In order to test various weekdays, replace the following search pipe
| eval WeekDay=strftime(_time,"%a") with your specific weekday for example
| eval WeekDay ="Wed" or
| eval WeekDay ="Thu" etc.
<form> <label>Earliest and Latest Time based on current day</label> <search> <query> | makeresults | eval WeekDay=strftime(_time,"%a") | eval Hour=strftime(_time,"%H") | eval Time=case(WeekDay in ("Mon","Tue","Wed"),"earliest=-1w@w1 latest=-0w@w",true(),"earliest=-1w@w1 latest=-0w@w3") | table _time WeekDay Hour Time </query> <progress> <set token="queryTimeRange">$result.Time$</set> <set token="tokWeekDay">$result.WeekDay$</set> </progress> </search> <fieldset submitButton="false"></fieldset> <row> <panel> <table> <title>Today's Week Day: $tokWeekDay$ - Time Range: $queryTimeRange$</title> <search> <query>index=_internal sourcetype=splunkd log_level="ERROR" $queryTimeRange$ | stats count as Errors | addinfo | fieldformat info_min_time=strftime(info_min_time,"%c") | fieldformat info_max_time=strftime(info_max_time,"%c") | fieldformat info_search_time=strftime(info_search_time,"%c") | table Errors info_min_time info_max_time info_search_time </query> </search> </table> </panel> </row> </form>
Please try out and confirm.
Tnak you for your answer @niketnilay
But,can you just tell me where should i put this query in my code
<condition label="Semaine précédente"> <set token="earliest1_token">$value$</set> <set token="earliest_token">$value$</set> <set token="latest_token">-0w@w</set> <set token="time_token">true</set> --------------------- <row> <panel> <single> <title>Nombre de clients éligibles au Tchat</title> <search> <query>|loadjob savedsearch=":ied:$loadjob_token_job$" |search $media_token$ $chatOrigin_token$ |eval date_time = strftime(_time,"%Y-%m-%d") | eval earliest_time_relative=relative_time(now(),"$earliest_token$") | eval earliest_time = strftime(earliest_time_relative,"%Y-%m-%d") | eval earliest1_time_relative=relative_time(now(),"$earliest1_token$") | eval earliest1_time = strftime(earliest1_time_relative,"%Y-%m-%d") | eval latest_time_relative=relative_time(now(),"$latest_token$") | eval latest_time = strftime(latest_time_relative,"%Y-%m-%d") | eval date = strftime(_time,"%Y-%m-%d") | where date == "$time_token$" OR (date_time >= earliest1_time AND latest_time >= date_time) OR date_time>= earliest_time |stats dc(eval(if((isEligible_lo=1), client, NULL))) AS Nombre_clients_éligibles_au_Tchat BY _time,media,chatOrigin | stats SUM(Nombre_clients_éligibles_au_Tchat) AS snb | fields snb</query> </search> <option name="useThousandSeparators">0</option> </single> </panel> <row>
Before I can assist further, have you tested above Run Anywhere dashboard of mine? Does it set the earliest and latest time as per expectations? And have you understood how that dashboard is working?
Following run anywhere search can be the first line of your dashboard, may be after
<query> | makeresults | eval WeekDay=strftime(_time,"%a") | eval Hour=strftime(_time,"%H") | eval Time=case(WeekDay in ("Mon","Tue","Wed"),"earliest=-1w@w1 latest=-0w@w",true(),"earliest=-1w@w1 latest=-0w@w3") | table _time WeekDay Hour Time </query> <progress> <set token="queryTimeRange">$result.Time$</set> </progress>
$queryTimeRange$ in your base search for the queries that should pick up the earliest and latest time as per your question.
In your dashboard example seems like you are loading the result of a saved search, which might have already run. Maybe you can have two saved searches instead and set the token for their saved search names instead.
@taha13, is your issue resolved? Please accept the answer if it is to mark this question as answered!
You can try using
for exactly seven days. So if you check on Wednesday 12 p.m. it will show you from the previous wednesday 12 p.m.
For the entire day. So if you check on Wednesday - irrespective of the time, it will show you the results of the whole day.
Here's the documentation, for you to understand this better
@taha13, can you check the following answer on similar lines?https://answers.splunk.com/answers/527234/making-same-query-run-for-different-times.html