modify date of search

cipi23 · ‎07-11-2019

how to modify time after a search, for example i search something on thirst day of week (08 date) and after i would like to search on last week first day (01 date) all this search is in one search. In classic programming i will be use for loop

cipi23 · ‎07-12-2019

i have to display count of hosnames, that have last_seen >30 days, in first day of week:

for 08.07.19 count number of hostnames that have last_seen >30 days
for 01.07.19 count number of hostnames that have last_seen >30 days
for 24.06.19 count number of hostnames that have last_seen >30 days
for 17.06.19 count number of hostnames that have last_seen >30 days

the output will be:
week1 count
week2 count
week3 count
week4 count

all this i need to do in one search

woodcock · ‎07-11-2019

First of all, be aware that you can set your personal timezone in <Your Name> -> Preferences -> Time zone and then you can avoid all of your strftime stuff; if you do that, then this should work:

index=en_amp_api earliest=@w1 latest=@w2
| timechart span=1w count

woodcock · ‎07-11-2019

First of all, be aware that you can set your personal timezone in <Your Name> -> Preferences -> Time zone and then you can avoid all of your strftime stuff; try this:

index=en_amp_api earliest=@w1 latest=@w2
| eval week=case(
   last_seen<strftime(relative_time(_time,"-4w"),"%Y-%m-%dT%H:%M:%SZ"), "week1",
   last_seen<strftime(relative_time(_time,"-4w"),"%Y-%m-%dT%H:%M:%SZ"), "week2",
   last_seen<strftime(relative_time(_time,"-4w"),"%Y-%m-%dT%H:%M:%SZ"), "week3",
   last_seen<strftime(relative_time(_time,"-4w"),"%Y-%m-%dT%H:%M:%SZ"), "week4",
   true(), "other")
| stats count BY week

tiagofbmm · ‎07-11-2019

either you're willing to run 4 searches, one for each week, which can be done like this:

| makeresults | eval earliest=<week2_begins>, latest=<week1_ends>, weeknumber=1
| append [ | makeresults | eval earliest=<week2_begins>, latest=<week2_ends>, weeknumber=2 ]
| append [ | makeresults | eval earliest=<week3_begins>, latest=<week3_ends>,weeknumber=3 ]
| append [ | makeresults | eval earliest=<week4_begins>, latest=<week4_ends>, weeknumber=4 ]
| map search="search  index=en_amp_api  earliest=$earliest$ latest=$latest$ | eval description=$weeknumber$"

Or you specify earliest and latest that includes all the 4 weeks

index=<yourindex> earliest=<week1_begins> latest=<week4_ends>  | stats sum(eval(if(last_seen<strftime(relative_time(_time,"-4w"),"%Y-%m-%dT%H:%M:%SZ"),1,0))) as "week1", sum(eval(if(strftime(relative_time(_time,"-4w"),"%Y-%m-%dT%H:%M:%SZ")<last_seen AND last_seen<strftime(relative_time(_time,"-3w"),"%Y-%m-%dT%H:%M:%SZ"),1,0))) as "week2"

tiagofbmm · ‎07-11-2019

You can specify search (earliest=x latest=y) OR (earliest=w latest=z)

cipi23 · ‎07-11-2019

index=en_amp_api
 earliest=@w1 latest=@w2
| eval description1=case(last_seen<strftime(relative_time(_time,"-4w"),"%Y-%m-%dT%H:%M:%SZ"),"week1")
| eval description2=case(last_seen<strftime(relative_time(_time,"-4w"),"%Y-%m-%dT%H:%M:%SZ"),"week2")
| eval description3=case(last_seen<strftime(relative_time(_time,"-4w"),"%Y-%m-%dT%H:%M:%SZ"),"week3")
| eval description4=case(last_seen<strftime(relative_time(_time,"-4w"),"%Y-%m-%dT%H:%M:%SZ"),"week4")
| stats count(description1) as week1,count(description2) as week2,count(description3) as week3,count(description4) as week4

this is my code and i would like to modify earliest and latest for each case

modify date of search

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes