Hello ,
So my question today is: for my earliest time i have "-1w@w1",so my research start from the last monday.The problem is despite the latest time is "-0w@w",i have yesterday as latest time . While i want the last saturday as latest time
|eval date_time = strftime(_time,"%Y-%m-%d")
| eval earliest_time_relative=relative_time(now(),"-1w@w1")
| eval earliest_time = strftime(earliest_time_relative,"%Y-%m-%d")
| eval earliest1_time_relative=relative_time(now(),"-1w@w1")
| eval earliest1_time = strftime(earliest1_time_relative,"%Y-%m-%d")
| eval latest_time_relative=relative_time(now(),"-0w@w")
| eval latest_time = strftime(latest_time_relative,"%Y-%m-%d")
| eval date = strftime(_time,"%Y-%m-%d")
| where date == "-1w@w" OR (date_time >= earliest1_time AND latest_time >= date_time) OR date_time>= earliest_time
your earliest_time
-type and latest_time
-type fields are not in an epoch form, they are strings. because of that, you cannot filter using _time
. I'm also not sure why you have two sets for earliest that are calculating the same thing. try something like this:
|eval date = strftime(_time,"%Y-%m-%d")
| eval earliest_time_relative=relative_time(now(),"-1w@w1")
| eval earliest_time = strftime(earliest_time_relative,"%Y-%m-%d")
| eval latest_time_relative=relative_time(now(),"@w6")
| eval latest_time = strftime(latest_time_relative,"%Y-%m-%d")
| where (_time >= earliest_time_relative AND _time<=latest_time_relative)
some of the evals might not be necessary. i'm not using date
,earliest_time
, or latest_time
. depending on what you're doing, you could also just put earliest=1w@w1 latest=@w6
in the base search instead of doing this eval.
if this isn't what you're looking for, please let me know what i'm missing so i can better help.
your earliest_time
-type and latest_time
-type fields are not in an epoch form, they are strings. because of that, you cannot filter using _time
. I'm also not sure why you have two sets for earliest that are calculating the same thing. try something like this:
|eval date = strftime(_time,"%Y-%m-%d")
| eval earliest_time_relative=relative_time(now(),"-1w@w1")
| eval earliest_time = strftime(earliest_time_relative,"%Y-%m-%d")
| eval latest_time_relative=relative_time(now(),"@w6")
| eval latest_time = strftime(latest_time_relative,"%Y-%m-%d")
| where (_time >= earliest_time_relative AND _time<=latest_time_relative)
some of the evals might not be necessary. i'm not using date
,earliest_time
, or latest_time
. depending on what you're doing, you could also just put earliest=1w@w1 latest=@w6
in the base search instead of doing this eval.
if this isn't what you're looking for, please let me know what i'm missing so i can better help.
taha13,
Can you make this work in an actual search? I think that's your first step.
Be sure to use the epoch versions of the dates/times, because that's what _time is. E.g. in all the above, do NOT use the "earliest_time" and so on, but instead use the "earliest_time_relative" and related fields for your comparisons.
Once you get it working in a search and returning only the days you want, I think it'll be pretty easy to make it work in your dashboard.
Or can you post the entire search? Maybe there's something going on there we aren't seeing?
it's work for the last week ut dont for the last month for exemple or for yesterday
Tis is what i have for yesterday on the search
|eval date = strftime(_time,"%Y-%m-%d")
| eval earliest_time_relative=relative_time(now(),"-1d@d")
| eval earliest_time = strftime(earliest_time_relative,"%Y-%m-%d")
| eval latest_time_relative=relative_time(now(),"true")
| eval latest_time = strftime(latest_time_relative,"%Y-%m-%d")
| where (_time >= earliest_time_relative AND _time<=latest_time_relative)
I think @cmerriman asked this too, but how could
| eval latest_time_relative=relative_time(now(),"true")
possibly work?
If you run the search and replace true
with what you want the latest time to be, does that search run and give you the desired results?
It's doesnt work,this is my code
|eval date_time = strftime(_time,"%Y-%m-%d")
| eval earliest_time_relative=relative_time(now(),"$earliest_token$")
| eval earliest_time = strftime(earliest_time_relative,"%Y-%m-%d")
| eval earliest1_time_relative=relative_time(now(),"$earliest1_token$")
| eval earliest1_time = strftime(earliest1_time_relative,"%Y-%m-%d")
| eval latest_time_relative=relative_time(now(),"$latest_token$")
| eval latest_time = strftime(latest_time_relative,"%Y-%m-%d")
| eval date = strftime(_time,"%Y-%m-%d")
| where date == "$time_token$" OR (date_time >= earliest1_time AND latest_time >= date_time) OR date_time>= earliest_time
Then when i read the serch i have :
|eval date = strftime(_time,"%Y-%m-%d")
| eval earliest_time_relative=relative_time(now(),"-1d@d")
| eval earliest_time = strftime(earliest_time_relative,"%Y-%m-%d")
| eval latest_time_relative=relative_time(now(),"true")
| eval latest_time = strftime(latest_time_relative,"%Y-%m-%d")
| where date == (_time >= earliest_time AND latest_time_relative >= _time) OR _time >= earliest_time_relative
what are you inputting for your latest_time that it is evaluating to true
can you post what your inputs look like? you have $time_token$
, but i'm not sure how that's being created, so unless it's in the form of YYYY-MM-DD, that part of your where
statement won't work. the date_time>=earliest_time
won't work either, since that is a string and not epoch. maybe try |eval date_time = strptime(strftime(_time,"%Y-%m-%d") ,"%Y-%m-%d")
or even |eval date_time=relative_time(_time,"@d")
to snap _time
to the beginning of the day, which is essentially what you're doing with strftime
.
My input :
<set token="earliest1_token">-1w@w1</set>
<set token="earliest_token">-1w@w1</set>
<set token="latest_token">@w6</set>
<set token="time_token">true</set>
<unset token="depends_token_1">true</unset>
<unset token="depends_token_2">true</unset>
<unset token="depends_token_3">true</unset>
<unset token="depends_token_4">true</unset>
<unset token="depends_token_5">true</unset>
<unset token="depends_token_6">true</unset>
<set token="depends_token_7">true</set>
<unset token="depends_token_8">true</unset>
<unset token="depends_token_9">true</unset>
<set token="show_Data_Labels_token">all</set>
<set token="token_span">$token_span7$</set>
<!-- <set token="loadjob_token_job">job_mois_encours</set> -->
<set token="loadjob_token_job">job_mois_encours_backup</set>
</condition>