Splunk Search

Use events where _time= "Yesterday" or _time="Yesterday - 1Week"

HeinzWaescher
Motivator

Hi,

I want to tell a Splunksearch just to use events with a _time "yesterday" and "yesterday - 1week" in the search. So when I would start this search now, it should use the events where _time= 11/02/2014 or _time=04/02/2014.
In the timerangepicker it doesn't seem to be possible to define something like this. How can I achieve it in the search?

BR

Heinz

0 Karma

richgalloway
SplunkTrust
SplunkTrust

According to the Module Reference (http://docs.splunk.com/Documentation/Splunk/6.0.1/AdvancedDev/ModuleReference), TimeRangePicker uses values specified in the times.conf file. My times.conf file has the following definitions:

[yesterday]
label = Yesterday
earliest_time = -1d@d
latest_time = @d
order = 200
sub_menu = Other

[previous_week]
label = Previous week
header_label = in the previous week
earliest_time = -7d@w0
latest_time = @w0
order = 210
sub_menu = Other

Perhaps you can add these to your times.conf file.

---
If this reply helps you, Karma would be appreciated.

HeinzWaescher
Motivator

Thanks a lot, I will have a closer look at both suggestions!

0 Karma

Ayn
Legend

Apps are bundles of configurations just like what you already have in your system. They're just as likely/unlikely to break anything as all currently existing stuff. 🙂

gfuente
Motivator

You can use custom commands everywhere if you set them as global, so they can be used in existing reports/searches. I don´t think they will break anything, in the worst case you can just uninstall (delete) the app, and revert the changes.

HeinzWaescher
Motivator

And installing the app means that I can only use the comamnd in this app? So timewrap can't be used in existing reports?

0 Karma

HeinzWaescher
Motivator

Yes, in the end I want to achieve something like this.
I haven't used apps before...Is there any risk to crash parts of the splunk configuration when installing apps?

0 Karma

Ayn
Legend

Not exactly an answer to the question, but if you're after this because you want to compare week-by-week results you might be interested in the Timewrap app which adds the "timewrap" command: http://apps.splunk.com/app/1645/

Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...