Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to set earliest and latest for custom time

k_harini
Communicator
‎06-19-2017 09:26 AM

I have to set earliest to @d for the custom time stamp

query.. | dedup EMPLOYEE_ID |fields EMPLOYEE_ID STORE_NUMBER STATE REGION PUNCH_OUT_TIME|where PUNCH_OUT_TIME!= " "|eval punch_time= strptime(PUNCH_OUT_TIME,"%d/%m/%Y %H")|bin punch_time span=1h|stats count by REGION punch_time|eval punch_time = strftime(punch_time,"%d/%m/%Y %H %p")|xyseries punch_time REGION count|addtotals|eventstats avg(Total) as Average|rename Total as "Total Punched"|rename Average as "Average Punched"| rename punch_time as PUNCH_OUT_TIME

This query shows hour wise details for all dates. but I need only for current date.. I could not set earliest and latest here. How to do that? please help

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎06-19-2017 10:14 AM

If your _time value (timestamp extraction setup during indexing) is based on PUNCH_OUT_TIME field already, you could just include earliest=@d in your base query.

index=foo sourcetype=bar earliest=@d ....rest of the search...

If it's not based on PUNCH_OUT_TIME field, then try like this (see where condition)

query.. | dedup EMPLOYEE_ID |fields EMPLOYEE_ID STORE_NUMBER STATE REGION PUNCH_OUT_TIME|where PUNCH_OUT_TIME!= " "|eval punch_time= strptime(PUNCH_OUT_TIME,"%d/%m/%Y %H") 
| where punch_time>=relative_time(now,"@d")
...rest of the search...

View solution in original post

0 Karma
Reply
Solved! Jump to solution

k_harini
Communicator
‎07-03-2017 12:07 AM

This is what worked. Thanks somesoni2 :).. you are very helpful

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎06-19-2017 10:14 AM

If your _time value (timestamp extraction setup during indexing) is based on PUNCH_OUT_TIME field already, you could just include earliest=@d in your base query.

index=foo sourcetype=bar earliest=@d ....rest of the search...

If it's not based on PUNCH_OUT_TIME field, then try like this (see where condition)

query.. | dedup EMPLOYEE_ID |fields EMPLOYEE_ID STORE_NUMBER STATE REGION PUNCH_OUT_TIME|where PUNCH_OUT_TIME!= " "|eval punch_time= strptime(PUNCH_OUT_TIME,"%d/%m/%Y %H") 
| where punch_time>=relative_time(now,"@d")
...rest of the search...
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...