Hi,
Splunk search query to get data last two months data.
need only every Friday data in the time range for 15 mins (i.e 08 AM to 08:15 AM every friday) .
example:
Date fieldA
21/01/2022 value1
14/01/2022 value2
07/01/2022 value3
Can anyone pls suggest how can I achieve this?
You could generate a set of earliest and latest values to use with your search
index=_internal
[| makeresults
| addinfo
| eval firstfriday=relative_time(info_min_time,"@w+5d+8h")
| eval firstfriday=if(firstfriday<info_min_time,firstfriday+(60*60*24*7),firstfriday)
| eval lastfriday=relative_time(info_max_time,"@w+5d+8h+15m")
| eval lastfriday=if(lastfriday>info_max_time,lastfriday-(60*60*24*7),lastfriday)
| eval weeks=floor((lastfriday-firstfriday)/(60*60*24*7))+1
| eval week=mvrange(0,weeks)
| mvexpand week
| eval earliest=firstfriday+(week*60*60*24*7)
| eval latest=lastfriday-((weeks-week-1)*60*60*24*7)
| fields - _time
| fields earliest latest
| format]
You could generate a set of earliest and latest values to use with your search
index=_internal
[| makeresults
| addinfo
| eval firstfriday=relative_time(info_min_time,"@w+5d+8h")
| eval firstfriday=if(firstfriday<info_min_time,firstfriday+(60*60*24*7),firstfriday)
| eval lastfriday=relative_time(info_max_time,"@w+5d+8h+15m")
| eval lastfriday=if(lastfriday>info_max_time,lastfriday-(60*60*24*7),lastfriday)
| eval weeks=floor((lastfriday-firstfriday)/(60*60*24*7))+1
| eval week=mvrange(0,weeks)
| mvexpand week
| eval earliest=firstfriday+(week*60*60*24*7)
| eval latest=lastfriday-((weeks-week-1)*60*60*24*7)
| fields - _time
| fields earliest latest
| format]
Can you please help to have some sample search, how to use these "earliest " and "latest" in search
@ITWhisperer
I am not sure what you are asking for here - I posted an example which uses _internal as the index - simply replace this with your index.
Hi @kirrusk,
did you explored the timewrap command (https://docs.splunk.com/Documentation/Splunk/8.2.4/SearchReference/Timewrap)?
please, try something like this:
index=your_index date_hour=8 date_minute<16 date_wday=friday earliest=-2mon
| timechart count span=1d
| timewrap 1mon
Ciao.
Giuseppe
Thanks didn't know about timewrap. Looks useful.