Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Could someone help me on a transpose header field

jip31
Motivator
‎04-27-2022 06:45 AM

hi

I transpose header field time like this

 

 

| eval time=strftime(_time,"%H:%M")
| sort time
| fields - _time _span _origtime _events
| fillnull value=0
| transpose header_field=time 0 column_name=KPI include_empty=true
| sort KPI

 

 

Now I need to display only the fields for which _time is < to the current time

So I am doing this and it works

 

 

| where _time < now()

 

 

 But I also need to disply only the fields an hour earlier to the current time

So I need something like this but I dont succeed

 

 

| where _time < now() AND _time > now()-1

 

 

Could you help please?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-27-2022 07:39 AM 
| where _time < now() AND _time >= now()-3600

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-27-2022 06:55 AM

_time and now() are in seconds so 1 hour ago is now()-3600 that is 60 seconds times 60 minutes

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎04-27-2022 07:08 AM

OK

| where _time < now() alone works

But  _time=now()-3600 return any time fields

What I need is something like this

| where _time < now() AND _time=now()-3600 in order to display only the fields _time between 15h and 16h (considering the current time is 16)

jip31_0-1651068447445.png

instead this

jip31_1-1651068484956.png

 

 

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-27-2022 07:39 AM 
| where _time < now() AND _time >= now()-3600
0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎04-27-2022 07:45 AM

perfect thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year

At .conf25, Splunk proudly recognized Fast Lane as the 2025 Authorized Learning Partner of the Year. This ...

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...