Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

use latest as part of where clause

jasonmadesometh
Explorer
‎04-22-2020 05:58 AM

Right now I have a search set up that compares the previous hours events to the same hour 1 week ago:

foo | timechart count span=1h
| where strftime(_time, "%A %H")==strftime(relative_time(now(),"-1h"),"%A %H")

However I would like to add it to a dashboard and instead of having everything relative to "now" I would like it to be based on the time picker. How can I change the second strftime to allow me to do this? Currently I have to set the time picker to the previous 7 days to get this to work on the report, though I'm not married to that implementation.
I have tried the below search, however it doesn't return any events:

foo| timechart count span=1h
| where strftime(_time, "%A %H")==strftime(latest,"%A %H")

I tried using addinfo, but to no avail:

foo
| addinfo 
| eval high=strftime(relative_time(info_max_time, "-1h"), "%A %H")
| timechart count span=1h
| where strftime(_time, "%A %H")==high
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎04-22-2020 06:07 AM

try addinfo 's info_max_time

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Addinfo

Reply
Solved! Jump to solution

jasonmadesometh
Explorer
‎04-22-2020 06:12 AM

foo
| addinfo
| timechart count span=1h
| timewrap w
| where strftime(_time, "%A %H")==strftime(relative_time(info_max_time,"-1h"),"%A %H")

returns no results as well

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎04-22-2020 01:23 PM 
foo
| timechart count span=1h
| timewrap w
| addinfo
| where relative_time(_time, "@h")==relative_time(info_max_time,"-1h@h")

Query order is wrong.
If you have wrong result, try and check line by line.

Reply
Solved! Jump to solution

adonio
Ultra Champion
‎04-22-2020 06:04 AM

did you look into the timewrap command?
https://docs.splunk.com/Documentation/Splunk/8.0.3/SearchReference/Timewrap

0 Karma
Reply
Solved! Jump to solution

jasonmadesometh
Explorer
‎04-22-2020 06:15 AM

Yeah, timewrap worked perfectly for the graph, though I'm trying to generate a scorecard for a dashboard. My timewrap command looks like this:
foo
| timechart count span=5m
| timewrap w
| where strftime(_time, "%A")=="Monday"

And what I would like to do is replace that monday string with something I can base off the time picker's latest property

0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...