Hi All,
This give me value by subtracting 7 days from now
|stats count | eval next_time=relative_time(now(),"-7d@d")| convert ctime(*_time)
I am actually want 7 days starting from yesterday and used the below one and its not giving me any value.
|stats count | eval next_time=relative_time("-1d@d","-7d@d")| convert ctime(*_time)
Please let me know, how this can be achieved.
Wait for it ..... !
7 days from yesterday will be |stats count | eval next_time=relative_time(now(),"-8d@d")| convert ctime(*_time)
Additional information on this, Try | addinfo
may help you.
Search time frame: Last 1 hr (change based on your requirement)
|stats count | addinfo | eval earliest=relative_time(info_max_time,"-7d@d") | eval latest=relative_time(info_max_time,"-1d@d") | eval next_time=relative_time("-1d@d","-7d@d") | convert ctime(info_max_time) as info_max_time, ctime(info_min_time) as info_min_time , ctime(earliest) ctime(latest)
Description, | addinfo
Provides the details about the search like info_max_time, info_min_time, Taking info_max_time and use relative time to move the earliest to 7 days (any relative time 7d@d
based on your requirement). Used the same info_max_time field to calculate the yesterday (-1d@d) .
Definition of relative_time function ,
relative_time(X,Y)
This function takes an epochtime time, X, as the first argument and a relative time specifier, Y, as the second argument and returns the epochtime value of Y applied to X.
Example, ... | eval n=relative_time(now(), "-1d@d")
http://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/CommonEvalFunctions#Date and Time functions
Thanks this helps, however, I have new challenge here. Basically my query looks like this
index="data" |eval period=if(_time>=relative_time(now(),"-8d@d"),strftime(relative_time(_time,"@w7"),"%m/%d"),strftime(relative_time(_time,"-@w7"),"%m/%d")) |search period!=NULL | chart count over app_name by period | sort 10 -period.
I am not able to bring up the top 10 values using above query, can you guys let me know.
@smaran06 - Did the answer provided by vasanthmss help provide a working solution to your original question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with additonal feedback. Thank you.
This is how your final output like before sort:-
appname, sundaylastweek, sundaythisweek
appname1, count ,count...
.....
So, you get two columns with count, which one you want to use to sort/get top 10 values?
Thanks somesoni2, I want to sort appname1,count,count...
I am completely confused but that's not the worst part; every update makes me more confused!
Change the stuff after the last |
to this:
| top 10 app_name by period
Thanks, this didn't help