Splunk Search

how to get a value for now and 7 days ago

Sam_2020
New Member

I want the values of TID_now and TID_7 days ago in my table

 

I tried 

| eval TID_7days=TID(now(), "-7d@d")

it says expression is malformed.

 

Labels (2)
0 Karma

to4kawa
Ultra Champion

sample:

 

index=_internal (earliest=-8d@d latest=-7d@d) OR (earliest=-1d@d latest=@d)
| eval date=strftime(_time,"%F")
| chart count by sourcetype date

 

0 Karma

saravanan90
Contributor

Incase if this is your requirement

|makeresults |eval TID_7days=relative_time(now(), "-7d@d") , TID_now=now()

ITWhisperer
SplunkTrust
SplunkTrust

What is TID in this context? Why have you labelled this rex when rex isn't mentioned?

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...