Solved: Could someone help me on a transpose header field

jip31 · ‎04-27-2022

hi

I transpose header field time like this

| eval time=strftime(_time,"%H:%M")
| sort time
| fields - _time _span _origtime _events
| fillnull value=0
| transpose header_field=time 0 column_name=KPI include_empty=true
| sort KPI

Now I need to display only the fields for which _time is < to the current time

So I am doing this and it works

| where _time < now()

But I also need to disply only the fields an hour earlier to the current time

So I need something like this but I dont succeed

| where _time < now() AND _time > now()-1

Could you help please?

ITWhisperer · ‎04-27-2022

| where _time < now() AND _time >= now()-3600

View solution in original post

ITWhisperer · ‎04-27-2022

_time and now() are in seconds so 1 hour ago is now()-3600 that is 60 seconds times 60 minutes

jip31 · ‎04-27-2022

OK

| where _time < now() alone works

But _time=now()-3600 return any time fields

What I need is something like this

| where _time < now() AND _time=now()-3600 in order to display only the fields _time between 15h and 16h (considering the current time is 16)

instead this

ITWhisperer · ‎04-27-2022

| where _time < now() AND _time >= now()-3600

jip31 · ‎04-27-2022

perfect thanks

Could someone help me on a transpose header field

other

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?