Solved: latest = earliest + 1day. in search query

snehasal · ‎07-13-2017

Hi,

I am trying to filter my search results by specifying earliest and latest time in my search query. The earliest time comes from a token. I want the latest time to be earliest + 1day. $time_token$ has the date which is selected from one of the Dashboard panels.
Please help

source="ClodeRunner10.csv" sourcetype="csv" earliest=$time_token$ latest =$time_token"+1d
| eval WfStart=If(step_info="WORKFLOW START",_time,null()) 
| eval WfEnd=If(step_info="WORKFLOW END",_time,null()) 
| sort 0 _time 
| streamstats latest(WfStart) as WfStart by workflow_name 
| eval WfDuration=round(((WfEnd-WfStart)/60) ,2) 
| timechart eval(round(avg(WfDuration),2)) by workflow_name limit=0 useother=false

Thanks,
Sneha

jackson1990 · ‎07-13-2017

Try the below approaches:
1.Mentioning 1d in secs in your query.Include eval latest = $time_token$+86400 in your query
or
2.Include eval latest=relative_time($time_token$, "+d") in the query
Dont forget to append pipe(|) operator for eval operations.

View solution in original post

jackson1990 · ‎07-13-2017

Try the below approaches:
1.Mentioning 1d in secs in your query.Include eval latest = $time_token$+86400 in your query
or
2.Include eval latest=relative_time($time_token$, "+d") in the query
Dont forget to append pipe(|) operator for eval operations.

snehasal · ‎07-13-2017

latest = $time_token$+86400 worked for me.
Thanks

jackson1990 · ‎07-14-2017

Glad it worked !!

latest = earliest + 1day. in search query

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

New in Observability Cloud - Explicit Bucket Histograms