Hello Everyone,
i have implemented a case where the events of a log are calculated per day basis. But when i choose the Timerange picker its showing the values according to the events for the last N amount of period unless its custom time.
e.g. Last 24 hours will choose events which are from today 10 AM to yesterdays 10 AM. But the problem is the events for yesterday before 10 AM are neglected in the Per day calculation.
Any insight by which i can make it happen to start any dates at 00:00 AM?
earliest_time = 22/6/13 00:00 AM
Thanks
Add earliest and latest conditions with @d (on day boundaries) to your query.
For example:
For all events yesterday: earliest=-1d@d latest=-0d@d
For all events so far today: earliest=-0d@d latest=now
Be aware that days start and end based on the timezone set for the user performing the query. You can change this in each users' settings if needed.
You can also explicitly tell it to snap to periods other than a day. Eg, -1month@month will snap to the start of the previous month.
You can also use the built-in default datetime fields (eg, date_month) to group stats by time periods. (See http://docs.splunk.com/Documentation/Splunk/5.0.3/Knowledge/UseDefaultFields .)
Long time ranges such as month to date, previous month, year to date, etc. already snap to the beginning of a day.
It may work for today, yesterday but how do i make a trend chart for a month? I will always need the floor value of the date to my earliest parameter. Let me know if any new idea hits. I need to dig deep.
You can define your own time ranges if the pre-defined ones do not suit your cases. For example, you could swap "Last 24 hours" (-24h@h to now) with "Today + Yesterday" (-24h@d to now).
Thanks for the reply, but i can't make the values hard coded as the values will change according to the value changed by the TimeRangePicker module