Hi all !
I'm building a view in advanced XML, with a TimeRangePicker, associated with 2 searches.
My problem is that I can't do the following operation : now-7d , for the drawing on the right.
Is there any way to rewrite the "now" value, or to get a value that allows a substract ?
Final request for drawing the double-bar-graph is :
earliest=@d latest=now action="reject" CF="xxxxx" | multikv | eval ReportKey="today" | append maxtime=120 [ search earliest=@d-604800 latest=now-518400 action="reject" CF="xxxxx" | multikv | eval ReportKey="last week" | eval new_time=time+86400*7 ] | eval _time=if(isnotnull(new_time), new_time, _time) | timechart span=1h count by ReportKey
I get the following : __Invalid value "now-518400" for time term 'latest'_
David
You should be able to use relative values without specifying the "now". By defining latest=-24h it would set the latest alloweable time to 24 hours ago (no need to say "now"). If you define latest=-1000s it will set the latest alloweable time to 1000 seconds from the "now".
You really just need a value, a unit and a direction.
If you are getting the latest time from somewhere then you should probably use an eval statement with the relative_time function to calculate your latest value.
See this page and search for "relative_time" http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions
... | eval last_time=relative_time(...)
And then use last_time in your subsearch or a where "_time <= last_time"
Hi there !
Thanks for your answer, but the case is that the "earliest" & "latest" values come from the TimeRangePicker when you select Today.
All the other cases are working fine.
I'm getting the values using :
$search.timeRange.earliest$ & $search.timeRange.latest$
David