How do you want to display that, as a single value somewhere or in the same table as your example. There are several ways to calculate that. Note that you mention both first and last - but imply earliest in your numbers. Note that you can always make a base search if you have data in one dashboard panel that is used by another and add whatever you need to a post processing search for the average. If you simply want the average of the 3 as a value somewhere, take the last two lines of this. | makeresults | eval _raw="_time Count 10:00 581 10:05 698 10:10 247 10:15 987 10:20 365 10:30 875" | multikv forceheader=1 | eval _time=strptime(time, "%H:%M") | table _time Count | head 3 | stats avg(Count) as Count or as a rolling average of the 3 bins, use this instead of the last two lines above | streamstats window=3 avg(Count) as AvgCount If that doesn't help, please clarify how you want to use this value ... View more

Not sure what you mean here by time bins. You can set the time range for the search in the search itself with the earliest=X latest=Y search criteria. Perhaps you can give some more detail on your data and how you are currently getting from your data to your example. ... View more

Hi @kishan2356, please try this:   index=xxx wf_id=xxx wf_env=xxx sourcetype=xxx usecase=xxx | bin _time span=5m | stats count by _bin request_id | append [ search index=xxx wf_id=xxx wf_env=xxx xxx | bin _time span=5m | stats count BY _time | rename count AS total ] | stats sum(count) AS count values(total) AS total BY _time | eval perc=count/total   Ciao. Giuseppe ... View more

Not sure that your stated problem makes sense. If you have a field 'alphabet' which has one of those 3 values, where the field is a SINGLE value field of either 'a', 'a,b' or 'a,b,c,d' then the Splunk command index=foo alphabet=a  will only find the event where alphabet is ONLY a | makeresults | eval alphabet=split("a,b,c,d:a,b:a",":") | mvexpand alphabet | search alphabet=a whereas if your field alphabet is a MULTIVALUE field that has those values, then it will find all values, e.g. | makeresults | eval alphabet=split("a,b,c,d:a,b:a",":") | mvexpand alphabet | eval alphabet=split(alphabet,",") | search alphabet=a Your SPL 'index=test WHERE ... ' - That is specifying a search term WHERE, not doing a conditional clause | where. The Splunk 'search' command will do string matching on the value, so alphabet=a should only find 'a' and alphabet=*a* would find all.  Using the Splunk 'where' command it can then do much more, e.g. | where match(alphabet,"^a$") or even just | where alphabet="a" but again - SINGLE and MULTIVALUE fields will behave differently, in that BOTH those will match the MULTIVALUE field where ONE of the values is 'a'. Hope this helps   ... View more

Your original post implied the lookup contained _time as a field. If you do not have a time field in your lookup then you can't filter by time. If you have a field called _time in your lookup, then do as I suggest in my previous post. There is a 3rd option which will make a fixed 7 day test (again assuming you have a time field in your lookup) | inputlookup count.csv | where _time>=relative_time(now(), "-7d@d") AND _time<=now()   ... View more

Is there a specific reason you need to execute multiple searches concurrently rather than provide an appropriately broad where clause? ... View more

| multisearch [ search index=xxx sourcetype=xxx xxx earliest=$earliestTime$ latest=$latestTime$ | eval label=xxx | fields -_raw _time ecn label ] [ search index=xxx sourcetype=xxx xxx earliest=$earliestTime1$ latest=$latestTime1$ | eval _time=_time+60*60*24*7 | eval label=xxx  | fields -_raw _time ecn label ] [ search index=xxx sourcetype=xxx xxx earliest=$earliestTime2$ latest=$latestTime2$ | eval _time=_time+60*60*24*14  | eval label=xxx  | fields -_raw _time ecn label ] [ search index=xxx sourcetype=xxx xxx earliest=$earliestTime3$ latest=$latestTime3$ | eval _time=_time+60*60*24*21  | eval label=xxx  | fields -_raw _time ecn label ] [ search index=xxx sourcetype=xxx xxx earliest=$earliestTime4$ latest=$latestTime4$ | eval _time=_time+60*60*24*28  | eval label=xxx  | fields -_raw _time ecn label ] | bin _time span=5m | chart dc(ecn) over _time by label ... View more

Hi @kishan2356, You could use the below snippet. I have included an option to display the values.You can remove it once you test the functionality. [Remove the tags at the end] Please upvote and accept if this helped!! <fieldset submitButton="true" > <input type="text" token="startdate" searchWhenChanged="false" > <label>Start Date (mm/dd/yyyy hh:mm)</label> <default></default> <change> <condition> <eval token="new_earliest">strptime($startdate$,"%m/%d/%Y %H:%M")</eval> <eval token="new_earliest1">strptime($startdate$,"%m/%d/%Y %H:%M")-604800</eval> <eval token="new_earliest2">strptime($startdate$,"%m/%d/%Y %H:%M")-1209600</eval> <eval token="new_earliest3">strptime($startdate$,"%m/%d/%Y %H:%M")-1814400</eval> <eval token="new_earliest4">strptime($startdate$,"%m/%d/%Y %H:%M")-2419200</eval> </condition> </change> </input> <input type="text" token="enddate" searchWhenChanged="false"> <label>End Date (mm/dd/yyyy hh:mm)</label> <default></default> <change> <condition> <eval token="new_latest">strptime($enddate$,"%m/%d/%Y %H:%M")</eval> <eval token="new_latest1">strptime($enddate$,"%m/%d/%Y %H:%M")-604800</eval> <eval token="new_latest2">strptime($enddate$,"%m/%d/%Y %H:%M")-1209600</eval> <eval token="new_latest3">strptime($enddate$,"%m/%d/%Y %H:%M")-1814400</eval> <eval token="new_latest4">strptime($enddate$,"%m/%d/%Y %H:%M")-2419200</eval> </condition> </change> </input> <input type="dropdown" token="field1" searchWhenChanged="false"> <label>X</label> <choice value="A">A</choice> <choice value="B">B</choice> <choice value="C">C</choice> <choice value="D">D</choice> <choice value="E">E</choice> <choice value="F">F</choice> <choice value="G">G</choice> <choice value="H">H</choice> <default>A</default> </input> </fieldset> <row> <html> <li> X $field1$</li> <li>display startdate $startdate$</li> <li>display new_earliest $new_earliest$</li> <li>display new_earliest1 $new_earliest1$</li> <li>display new_earliest2 $new_earliest2$</li> <li>display new_earliest3 $new_earliest3$</li> <li>display new_earliest4 $new_earliest4$</li> </html> <html> <li>display enddate $enddate$</li> <li>display new_latest $new_latest$</li> <li>display new_latest1 $new_latest1$</li> <li>display new_latest2 $new_latest2$</li> <li>display new_latest3 $new_latest3$</li> <li>display new_latest4 $new_latest4$</li> </html> </row> ... View more

Best practice is to always run every server on UTC (since that will always match Unix epoch time) What you're describing is a timezone issue Either the data coming-in is off-by-1-hour Or the user's timezone is off-by-1-hour Or the server's time is off-by-1-hour Or some random combination of the above I've seen this countless times over the last dozen+ years - with maybe one exception in all that time, it was a time zone issue ... View more

Duplicate of https://answers.splunk.com/answers/782813/time-input-is-not-selecting-the-proper-time.html ... View more

index=XX sourcetype=XX (earliest=$earliestTime$ latest=$latestTime$) OR (earliest=$earliestTime1$ latest=$latestTime1$) OR (earliest=$earliestTime2$ latest=$latestTime2$) OR (earliest=$earliestTime3$ latest=$latestTime3$) OR (earliest=$earliestTime4$ latest=$latestTime4$) | streamstats values(eval(strftime(_time,"%m%d"))) as label | bin span=5m _time | streamstats values(eval(strftime(_time,"%H:%M:%S"))) as time | chart dc(ecn) over time by label | where time!=$click.value$ What about this query? You have to put "nothing" in $click.value$ in <init> ... View more

Hey @arjunpkishore5 The dashboard works but say when I select Date & Range Between 11/13/2019 9:00 and 11/13/2019 10:00 what happens is that the table will display time for 8:00 to 10:00 but it fills in all the data between 8 and 9 with 0s for the first 2 columns, and than it starts to display all the data for 9 to 10. I need it to select the exact time and display it. My guess is that the issue is coming from the way the tokens are set on the dashboard? Any idea on how to fix this issue? <eval token="earliestTime">if(isstr(earliest), relative_time(now(),earliest), earliest)</eval> <eval token="latestTime">if(isstr(latest), relative_time(now(),latest), latest)</eval> <eval token="earliestTime1">relative_time(earliestTime,"-7d")</eval> <eval token="latestTime1">relative_time(latestTime,"-7d")</eval> <eval token="earliestTime2">relative_time(earliestTime,"-14d")</eval> <eval token="latestTime2">relative_time(latestTime,"-14d")</eval> <eval token="earliestTime3">relative_time(earliestTime,"-21d")</eval> <eval token="latestTime3">relative_time(latestTime,"-21d")</eval> <eval token="earliestTime4">relative_time(earliestTime,"-28d")</eval> <eval token="latestTime4">relative_time(latestTime,"-28d")</eval> </change> ... View more

You simply need to add | addinfo to your search. This will give you info_min_time and info_max_time from your Time picker and then you can do whatever logic you would like to do (probably using the relative_time() and now() functions). ... View more