Try relative_time()
.
... | eval futureTime=relative_time(relative_time(_time, "+1mon"), "-1d") | fieldformat futureTime=strftime(futureTime,"%Y-%m-%d %H:%M:%S") | ...
This was a good poar. I thought I had to subtract seconds in order to look at previous weeks. But i see now that doing this:
| eval futureTime=relative_time(_time, "-7d") | fieldformat futureTime=strftime(futureTime,"%Y-%m-%d %H:%M:%S")|
Gets me where I need to be as well AND looks a little cleaner. I found plenty of references to strftime but this is the first i've seen the "relative_time" command as well as the format for 7d, 1mon, etc in a query like that.
Thanks again 🙂
Hi Thanks for the quick response . Much appreciate .
I tried something similar using eval function :
eval time =strftime (relative_time(_time, "+1mon"),"%Y%m%d %H:%M:%S")
if i add one month to " 31 May 2016 at 6:44:30 p.m." it gives me "20160701 18:44:30"
Where as it should be:" Thursday, 30 June 2016 at 6:44:30 p.m"
Can you please advise what am I doing wrong ?
Thanks in advance
First, the easy part. The difference between your current output and expected output is in the strftime format string. Try %A, %d %B %Y at %I:%M:%S %p
.
As for the result of relative, I don't have the answer, but I do have a theory. It looks like relative_time(_time, +1mon)
adds the number of days in the month specified in _time. So '31 May 16' jumps ahead 31 days to 1 July 16 because May is 31 days long, whereas '30 Apr 16' jumps ahead 30 days to '30 May 16' because April is only 30 days long. Regrettably, I don't have a good workaround for this.
Thank you very much !!! . my formatting is all good .
If your problem is solved then please accept the answer.