Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Default Start Timerange from 10am
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am working on a wall board dashboard regarding incidents created from 10am till now. So if it is before 10am I want to return results from 10am yesterday. If it is after 10am today then I want results from 10am today.
I found the syntax for for getting all the results for the beginning of the current week
earliest=@w0
I was hoping there might be something similar like
earliest=@h10
Any suggestions?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found the solution:
Logic:
- a "normal day" is 10am till 10am each day.
- So if it is before 10am - the time range will be 10am the previous day till the current time.
- If it is after 10am then the time will from 10am today till now.
Date Time Calculation:
- we run a base search with the id of DatePicker
- To do this we calculate the current time and set the hnow to be the current hour.
- Then we run an if statement to set the earliest time variable based on if it is before 10am
when the search is done we set the earliest time range token.
| makeresults | head 1 | eval hnow = strftime(now(), "%H")
| fields hnow
| eval x=if(hnow > 9,"@d+10h","-1d@d+10h")
-1m
now
1m
$result.x$
Hope this helps someone else.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found the solution:
Logic:
- a "normal day" is 10am till 10am each day.
- So if it is before 10am - the time range will be 10am the previous day till the current time.
- If it is after 10am then the time will from 10am today till now.
Date Time Calculation:
- we run a base search with the id of DatePicker
- To do this we calculate the current time and set the hnow to be the current hour.
- Then we run an if statement to set the earliest time variable based on if it is before 10am
when the search is done we set the earliest time range token.
| makeresults | head 1 | eval hnow = strftime(now(), "%H")
| fields hnow
| eval x=if(hnow > 9,"@d+10h","-1d@d+10h")
-1m
now
1m
$result.x$
Hope this helps someone else.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
use
earliest = @d+10h
For events after 10am today
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks nabell652 we are on the same page I'm currently using but it only works for events when I'm looking at the dashboard between 10am and midnight.
I also need to cover midnight to 9:59.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
if it is in a different search you can use
earliest=@d latest=@d+10h
And for 10am till now
earliest=@d+10h latest=now
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
