How to get earliest and latest time for the last o...

kumina · ‎09-16-2015

How to get earliest and latest time for the last one hour to compare with the same hour last week for which I don't know the earliest and latest time?

For last one hour, earliest=-1h@h latest=@h is working, but I don't know how to get the same hour last week for comparison purposes.

Kindly suggest

mkarimi17 · ‎08-08-2017

How about:

    | tstats count AS hourlyCount WHERE earliest=-7d@d latest=now index=* by index, _time span=1h | eval now_hour=strftime(now(),"%H") | eval time_hour=strftime(_time,"%H") | where time_hour=now_hour-1

It looks at the previous hour and matches it for the same hour in the past 7 days

DalJeanis · ‎08-08-2017

@mkarimi17 - perhaps you should try running it. It will give the same hour for each day, not just the two, and it will not compare last week's with this week's.

somesoni2 · ‎09-17-2015

Or in simple way,

earliest=-1h@h-1w latest=@h-1w

gyarici · ‎09-17-2015

Hi,

If you often compare such kind of results, I will recommend you to use "Timewrap application".

You can find it in here.

It is easy to use.

Here is also FAQ pages.FAQ

Hope it helps

Thanks

Gokhan

gfuente · ‎09-17-2015

Hello

What about?

earliest=-169h@h latest=-168h@h

Regards

How to get earliest and latest time for the last one hour and compare it with the same hour last week?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms