Hi,
I want to tell a Splunksearch just to use events with a _time "yesterday" and "yesterday - 1week" in the search. So when I would start this search now, it should use the events where _time= 11/02/2014 or _time=04/02/2014.
In the timerangepicker it doesn't seem to be possible to define something like this. How can I achieve it in the search?
BR
Heinz
According to the Module Reference (http://docs.splunk.com/Documentation/Splunk/6.0.1/AdvancedDev/ModuleReference), TimeRangePicker
uses values specified in the times.conf file. My times.conf file has the following definitions:
[yesterday]
label = Yesterday
earliest_time = -1d@d
latest_time = @d
order = 200
sub_menu = Other
[previous_week]
label = Previous week
header_label = in the previous week
earliest_time = -7d@w0
latest_time = @w0
order = 210
sub_menu = Other
Perhaps you can add these to your times.conf file.
Thanks a lot, I will have a closer look at both suggestions!
Apps are bundles of configurations just like what you already have in your system. They're just as likely/unlikely to break anything as all currently existing stuff. 🙂
You can use custom commands everywhere if you set them as global, so they can be used in existing reports/searches. I don´t think they will break anything, in the worst case you can just uninstall (delete) the app, and revert the changes.
And installing the app means that I can only use the comamnd in this app? So timewrap can't be used in existing reports?
Yes, in the end I want to achieve something like this.
I haven't used apps before...Is there any risk to crash parts of the splunk configuration when installing apps?
Not exactly an answer to the question, but if you're after this because you want to compare week-by-week results you might be interested in the Timewrap app which adds the "timewrap" command: http://apps.splunk.com/app/1645/