Right now I have a search set up that compares the previous hours events to the same hour 1 week ago:
foo | timechart count span=1h
| where strftime(_time, "%A %H")==strftime(relative_time(now(),"-1h"),"%A %H")
However I would like to add it to a dashboard and instead of having everything relative to "now" I would like it to be based on the time picker. How can I change the second strftime to allow me to do this? Currently I have to set the time picker to the previous 7 days to get this to work on the report, though I'm not married to that implementation.
I have tried the below search, however it doesn't return any events:
foo| timechart count span=1h
| where strftime(_time, "%A %H")==strftime(latest,"%A %H")
I tried using addinfo, but to no avail:
foo
| addinfo
| eval high=strftime(relative_time(info_max_time, "-1h"), "%A %H")
| timechart count span=1h
| where strftime(_time, "%A %H")==high
try addinfo
's info_max_time
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Addinfo
try addinfo
's info_max_time
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Addinfo
foo
| addinfo
| timechart count span=1h
| timewrap w
| where strftime(_time, "%A %H")==strftime(relative_time(info_max_time,"-1h"),"%A %H")
returns no results as well
foo
| timechart count span=1h
| timewrap w
| addinfo
| where relative_time(_time, "@h")==relative_time(info_max_time,"-1h@h")
Query order is wrong.
If you have wrong result, try and check line by line.
did you look into the timewrap
command?
https://docs.splunk.com/Documentation/Splunk/8.0.3/SearchReference/Timewrap
Yeah, timewrap worked perfectly for the graph, though I'm trying to generate a scorecard for a dashboard. My timewrap command looks like this:
foo
| timechart count span=5m
| timewrap w
| where strftime(_time, "%A")=="Monday"
And what I would like to do is replace that monday string with something I can base off the time picker's latest property