Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Variable earliest and latest?

stevensa
Explorer
‎01-10-2011 01:58 PM

Hey,

This forum has been so very helpful... I really cannot thank the posters here enough!

However, I have a question I have not been able to find an answer to. I have a search that I am trying to gather statistics for the previous day, but only the previous weekday. So if today is Monday I want my search to reflect information from Friday. If it is Tuesday I wnat the search to reflect information from Monday.

So I am trying to essentially do something along the lines of: 

"mysearch" earliest=if(strftime(now(), "%A")=="Monday", relative_time(now(),"@w5"), relative_time(now(),"-d@d") )  latest=if(strftime(now(), "%A")=="Monday", relative_time(now(), "@w6"), relative_time(now(),"@d")) | chart count by host

However, splunk does not like this syntax. Is there something I am missing or a simple way of doing this? Thank you very much for your help!!

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

Genti
Splunk Employee
Splunk Employee
‎01-11-2011 06:38 PM

Hey Steven,

Spent some time on this but i think i got it to work. Try this:

index=_internal [search index=_internal | head 1 | eval earliest=if(date_wday="monday", "-3d@d", "-1d@d") | eval latest=if(date_wday="monday", "-2d@d", "@d") | table earliest, latest | format "" "" "" "" "" ""]

if you are running the search on monday, it should go back and look at only the friday data. If you are running it on any other day, it will look at the previous day only.

Be careful however, this is not taking in consideration running this search on saturday or sunday. You could have a more nested if, for the earliest but that was too complicated and it didnt seem that you needed it anyway.

Let me know if this worked for ya.
Cheers,
.gz

View solution in original post

Reply
Solved! Jump to solution
Solution

Genti
Splunk Employee
Splunk Employee
‎01-11-2011 06:38 PM

Hey Steven,

Spent some time on this but i think i got it to work. Try this:

index=_internal [search index=_internal | head 1 | eval earliest=if(date_wday="monday", "-3d@d", "-1d@d") | eval latest=if(date_wday="monday", "-2d@d", "@d") | table earliest, latest | format "" "" "" "" "" ""]

if you are running the search on monday, it should go back and look at only the friday data. If you are running it on any other day, it will look at the previous day only.

Be careful however, this is not taking in consideration running this search on saturday or sunday. You could have a more nested if, for the earliest but that was too complicated and it didnt seem that you needed it anyway.

Let me know if this worked for ya.
Cheers,
.gz

Reply
Solved! Jump to solution

stevensa
Explorer
‎01-11-2011 07:48 PM

Genti,
Thank you very, very much for spending the time to think through an answer. Definitely a cool solution to the problem! I really appreciate the help, resolved a big issue for me (my boss!)!

0 Karma
Reply
Solved! Jump to solution

sweetlile
Explorer
‎09-19-2016 08:02 AM

I have the same issue but I want to display the result on a table, I can't disable the selection of time -range automatically. How did you do it?
This is my search:

source="##" Return_Code="*"  ServiceName="*" [search source="##" | head 1 | eval earliest=if(date_wday="monday", "-3d@d-4h", "-1d@d-4h") | eval latest=if(date_wday="monday", "@d-4h", "@d-4h") | table earliest, latest | format "" "" "" "" "" ""] | chart count by  Return_Code, ServiceName

It doesn't work when It's Monday, I want the search from Friday at 8AM until Monday at 8AM and If it's another day, I want the search results to be from the -d at 8AM until the current day at 8AM.
Can you help me, Please?

0 Karma
Reply
Solved! Jump to solution

Genti
Splunk Employee
Splunk Employee
‎01-11-2011 06:39 PM

clearly, you need to modify "index=_internal" to match on both the search and the subsearch..

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...