- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- how to set earliest and latest for custom time
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have to set earliest to @d for the custom time stamp
query.. | dedup EMPLOYEE_ID |fields EMPLOYEE_ID STORE_NUMBER STATE REGION PUNCH_OUT_TIME|where PUNCH_OUT_TIME!= " "|eval punch_time= strptime(PUNCH_OUT_TIME,"%d/%m/%Y %H")|bin punch_time span=1h|stats count by REGION punch_time|eval punch_time = strftime(punch_time,"%d/%m/%Y %H %p")|xyseries punch_time REGION count|addtotals|eventstats avg(Total) as Average|rename Total as "Total Punched"|rename Average as "Average Punched"| rename punch_time as PUNCH_OUT_TIME
This query shows hour wise details for all dates. but I need only for current date.. I could not set earliest and latest here. How to do that? please help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If your _time value (timestamp extraction setup during indexing) is based on PUNCH_OUT_TIME field already, you could just include earliest=@d in your base query.
index=foo sourcetype=bar earliest=@d ....rest of the search...
If it's not based on PUNCH_OUT_TIME field, then try like this (see where condition)
query.. | dedup EMPLOYEE_ID |fields EMPLOYEE_ID STORE_NUMBER STATE REGION PUNCH_OUT_TIME|where PUNCH_OUT_TIME!= " "|eval punch_time= strptime(PUNCH_OUT_TIME,"%d/%m/%Y %H")
| where punch_time>=relative_time(now,"@d")
...rest of the search...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is what worked. Thanks somesoni2 :).. you are very helpful
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If your _time value (timestamp extraction setup during indexing) is based on PUNCH_OUT_TIME field already, you could just include earliest=@d in your base query.
index=foo sourcetype=bar earliest=@d ....rest of the search...
If it's not based on PUNCH_OUT_TIME field, then try like this (see where condition)
query.. | dedup EMPLOYEE_ID |fields EMPLOYEE_ID STORE_NUMBER STATE REGION PUNCH_OUT_TIME|where PUNCH_OUT_TIME!= " "|eval punch_time= strptime(PUNCH_OUT_TIME,"%d/%m/%Y %H")
| where punch_time>=relative_time(now,"@d")
...rest of the search...
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
