HI Team,
I am posting only part of the query to avoid confusion. the sourcetype logs data for past 10 days everyday I search for it because thats how its designed and I am fine with it. However, I want to filter only for yesterdays date for another purpose and want to use the same source. If I simply put 2023-05-16 as a filter in my search query I can get the data but I want to automate it to fetch results everyday and every day I run, it should by default take yesterdays value. I simple want to print the value of result.yesterday in my search query like how i can mention 2023-05-16. Could you please let me know how I can achieve this?
| makeresults | eval yesterday = strftime(relative_time(now(), "-1d@d"), "%Y-%m-%d")|fields - relative_time $result.yesterday$ search index=infra source=*emr* sourcetype="aws:description" source="*emr_clusters" account_id="a0087" | dedup Id | rename Name as cluster_name, Id as JobFlowId Status.Timeline.CreationDateTime as cluster_creation_on, Status.Timeline.ReadyDateTime as cluster_ready_on, Status.Timeline.EndDateTime as cluster_terminate_on
Thanks in advance
... View more