I have the following search:
index=core source="*source1*"... |
stats max(field1) as "fieldname1" |
gauge max(field1) as "fieldname1"
[search index=core source="*source2*" |
rex field=Licensefilename "(?P<subname>(?<=_).*?(?=\.)).*" |
stats max(field2) as fieldname2 |
eval first=0 |
eval second=fieldname2 -50/100*fieldname2 |
eval third=fieldname2 -20/100*fieldname2 |
eval fourth=fieldname2 |
eval range=first+" "+second+" "+third+" "+fourth | return $range]
and it gives this output (i use this for creating a dynamic gauge visualisation)
x y1 y2 y3 y4
216810 0 150000 240000 300000
this works well if i choose the date to be yesterday
or the last 30days
, but if I choose the date to be the previous month
i get this
x
217891
whcih indicates to me that my $range
is not being returned when I choose previous month
Anyway I can NOT get this to work for the previous month, which is what I want as opposed to the last X days.
Any way I can get this to work for previous month?
Whether the data will be the presence of the previous month of sub-search?
index=core source="source2"
Whether the data will be the presence of the previous month of sub-search?
index=core source="source2"
if i pick last 30 days it works for my 1st search source="source1"
and 2nd subsearch source="source2"
if i understand correctly.
then if i pick previous month I want that to work(or be applied) to my 1st search source="source1"
and 2nd subsearch source="source2"
Maybe you are saying that I have to put earliest=?? and latest=??
inside my 2nd subserch source="source2"
?
I could give this a try but how would i write earliest=?? and latest=??
to be the previouse month?
Is it earliest=-1m@m and latest=@m
?
tks, I got it to work I think it was more a user error!!! 😞