- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- use latest as part of where clause
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Right now I have a search set up that compares the previous hours events to the same hour 1 week ago:
foo | timechart count span=1h
| where strftime(_time, "%A %H")==strftime(relative_time(now(),"-1h"),"%A %H")
However I would like to add it to a dashboard and instead of having everything relative to "now" I would like it to be based on the time picker. How can I change the second strftime to allow me to do this? Currently I have to set the time picker to the previous 7 days to get this to work on the report, though I'm not married to that implementation.
I have tried the below search, however it doesn't return any events:
foo| timechart count span=1h
| where strftime(_time, "%A %H")==strftime(latest,"%A %H")
I tried using addinfo, but to no avail:
foo
| addinfo
| eval high=strftime(relative_time(info_max_time, "-1h"), "%A %H")
| timechart count span=1h
| where strftime(_time, "%A %H")==high
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try addinfo 's info_max_time
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Addinfo
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try addinfo 's info_max_time
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Addinfo
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
foo
| addinfo
| timechart count span=1h
| timewrap w
| where strftime(_time, "%A %H")==strftime(relative_time(info_max_time,"-1h"),"%A %H")
returns no results as well
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
foo
| timechart count span=1h
| timewrap w
| addinfo
| where relative_time(_time, "@h")==relative_time(info_max_time,"-1h@h")
Query order is wrong.
If you have wrong result, try and check line by line.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
did you look into the timewrap command?
https://docs.splunk.com/Documentation/Splunk/8.0.3/SearchReference/Timewrap
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah, timewrap worked perfectly for the graph, though I'm trying to generate a scorecard for a dashboard. My timewrap command looks like this:
foo
| timechart count span=5m
| timewrap w
| where strftime(_time, "%A")=="Monday"
And what I would like to do is replace that monday string with something I can base off the time picker's latest property
Observability | How to Think About Instrumentation Overhead (White Paper)
Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)
The Great Resilience Quest: 10th Leaderboard Update
