Splunk Search

latest date

taha13
Explorer

Hello ,

So my question today is: for my earliest time i have "-1w@w1",so my research start from the last monday.The problem is despite the latest time is "-0w@w",i have yesterday as latest time . While i want the last saturday as latest time

 |eval date_time = strftime(_time,"%Y-%m-%d") 
              | eval earliest_time_relative=relative_time(now(),"-1w@w1")
                | eval earliest_time = strftime(earliest_time_relative,"%Y-%m-%d")

                | eval earliest1_time_relative=relative_time(now(),"-1w@w1")
                | eval earliest1_time = strftime(earliest1_time_relative,"%Y-%m-%d")

                | eval latest_time_relative=relative_time(now(),"-0w@w")
                | eval latest_time = strftime(latest_time_relative,"%Y-%m-%d")

                | eval date = strftime(_time,"%Y-%m-%d")
                | where date == "-1w@w" OR (date_time >= earliest1_time AND latest_time >= date_time) OR date_time>= earliest_time

alt text

Tags (2)
0 Karma
1 Solution

cmerriman
Super Champion

your earliest_time-type and latest_time-type fields are not in an epoch form, they are strings. because of that, you cannot filter using _time . I'm also not sure why you have two sets for earliest that are calculating the same thing. try something like this:

|eval date = strftime(_time,"%Y-%m-%d") 
 | eval earliest_time_relative=relative_time(now(),"-1w@w1")
 | eval earliest_time = strftime(earliest_time_relative,"%Y-%m-%d")
 | eval latest_time_relative=relative_time(now(),"@w6")
 | eval latest_time = strftime(latest_time_relative,"%Y-%m-%d")
 | where (_time >= earliest_time_relative AND _time<=latest_time_relative) 

some of the evals might not be necessary. i'm not using date,earliest_time, or latest_time. depending on what you're doing, you could also just put earliest=1w@w1 latest=@w6 in the base search instead of doing this eval.

if this isn't what you're looking for, please let me know what i'm missing so i can better help.

View solution in original post

cmerriman
Super Champion

your earliest_time-type and latest_time-type fields are not in an epoch form, they are strings. because of that, you cannot filter using _time . I'm also not sure why you have two sets for earliest that are calculating the same thing. try something like this:

|eval date = strftime(_time,"%Y-%m-%d") 
 | eval earliest_time_relative=relative_time(now(),"-1w@w1")
 | eval earliest_time = strftime(earliest_time_relative,"%Y-%m-%d")
 | eval latest_time_relative=relative_time(now(),"@w6")
 | eval latest_time = strftime(latest_time_relative,"%Y-%m-%d")
 | where (_time >= earliest_time_relative AND _time<=latest_time_relative) 

some of the evals might not be necessary. i'm not using date,earliest_time, or latest_time. depending on what you're doing, you could also just put earliest=1w@w1 latest=@w6 in the base search instead of doing this eval.

if this isn't what you're looking for, please let me know what i'm missing so i can better help.

Richfez
SplunkTrust
SplunkTrust

taha13,

Can you make this work in an actual search? I think that's your first step.

Be sure to use the epoch versions of the dates/times, because that's what _time is. E.g. in all the above, do NOT use the "earliest_time" and so on, but instead use the "earliest_time_relative" and related fields for your comparisons.

Once you get it working in a search and returning only the days you want, I think it'll be pretty easy to make it work in your dashboard.

Or can you post the entire search? Maybe there's something going on there we aren't seeing?

0 Karma

taha13
Explorer

it's work for the last week ut dont for the last month for exemple or for yesterday
Tis is what i have for yesterday on the search

 |eval date = strftime(_time,"%Y-%m-%d") 
  | eval earliest_time_relative=relative_time(now(),"-1d@d")
  | eval earliest_time = strftime(earliest_time_relative,"%Y-%m-%d")
  | eval latest_time_relative=relative_time(now(),"true")
  | eval latest_time = strftime(latest_time_relative,"%Y-%m-%d")
  | where (_time >= earliest_time_relative AND _time<=latest_time_relative) 
0 Karma

Richfez
SplunkTrust
SplunkTrust

I think @cmerriman asked this too, but how could

| eval latest_time_relative=relative_time(now(),"true")

possibly work?

If you run the search and replace true with what you want the latest time to be, does that search run and give you the desired results?

0 Karma

taha13
Explorer

It's doesnt work,this is my code

    |eval date_time = strftime(_time,"%Y-%m-%d") 
              | eval earliest_time_relative=relative_time(now(),"$earliest_token$")
                | eval earliest_time = strftime(earliest_time_relative,"%Y-%m-%d")

                | eval earliest1_time_relative=relative_time(now(),"$earliest1_token$")
                | eval earliest1_time = strftime(earliest1_time_relative,"%Y-%m-%d")

                | eval latest_time_relative=relative_time(now(),"$latest_token$")
                | eval latest_time = strftime(latest_time_relative,"%Y-%m-%d")

                | eval date = strftime(_time,"%Y-%m-%d")
                | where date == "$time_token$" OR (date_time &gt;= earliest1_time AND latest_time &gt;= date_time) OR date_time&gt;= earliest_time

Then when i read the serch i have :

  |eval date = strftime(_time,"%Y-%m-%d") 
  | eval earliest_time_relative=relative_time(now(),"-1d@d")
  | eval earliest_time = strftime(earliest_time_relative,"%Y-%m-%d")

  | eval latest_time_relative=relative_time(now(),"true")
  | eval latest_time = strftime(latest_time_relative,"%Y-%m-%d")
  | where date == (_time >= earliest_time AND latest_time_relative >= _time) OR _time >= earliest_time_relative
0 Karma

cmerriman
Super Champion

what are you inputting for your latest_time that it is evaluating to true

can you post what your inputs look like? you have $time_token$, but i'm not sure how that's being created, so unless it's in the form of YYYY-MM-DD, that part of your where statement won't work. the date_time>=earliest_time won't work either, since that is a string and not epoch. maybe try |eval date_time = strptime(strftime(_time,"%Y-%m-%d") ,"%Y-%m-%d") or even |eval date_time=relative_time(_time,"@d") to snap _time to the beginning of the day, which is essentially what you're doing with strftime.

0 Karma

taha13
Explorer

My input :

          <set token="earliest1_token">-1w@w1</set>
          <set token="earliest_token">-1w@w1</set>
          <set token="latest_token">@w6</set>
          <set token="time_token">true</set>
          <unset token="depends_token_1">true</unset>
          <unset token="depends_token_2">true</unset>
          <unset token="depends_token_3">true</unset>
          <unset token="depends_token_4">true</unset>
          <unset token="depends_token_5">true</unset>
          <unset token="depends_token_6">true</unset>
          <set token="depends_token_7">true</set>
          <unset token="depends_token_8">true</unset>
          <unset token="depends_token_9">true</unset>
          <set token="show_Data_Labels_token">all</set>
          <set token="token_span">$token_span7$</set>
          <!-- <set token="loadjob_token_job">job_mois_encours</set> -->
          <set token="loadjob_token_job">job_mois_encours_backup</set>
        </condition>
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...