I am doing a time chart but I don't want Today's date to show in the table. I know I can do that with the date range but that is cumbersome.
Any way to write it in SPL to do this?
| table _time SQYDLBHR
| streamstats count(SQYDLBHR) as timerange
| eventstats count(SQYDLBHR) as this
| eval Number = this - 1
| head (timerange
Old post but posting response in case anyone finds this.
I was able to accomplish this by doing the following.
| streamstats count(latest_requests) as timerange
| where (timerange > 1)
| table _time SQYDLBHR
| streamstats count(SQYDLBHR) as timerange
| eventstats count(SQYDLBHR) as this
| eval Number = this - 1
| head (timerange
| table _time SQYDLBHR
| streamstats count(SQYDLBHR) as timerange
| eventstats count(SQYDLBHR) as this
| eval Number = this - 1
| head (timerange
It keeps failing the last line to display but it is | head (timerange < Number)
@Hppjet,
Does this suit your requirement?
|where strftime(_time,"%d-%m-%Y")!=strftime(now(),"%d-%m-%Y")
Hi,
maybe the partial option of the timechart command can help you out. It basically dismisses all bins that are partial. Which in your case should drop the last day, since it is not completed until midnight. Only the first and the last bin can be partial, so you might also lose the first bin.
http://docs.splunk.com/Documentation/Splunk/7.2.0/SearchReference/Timechart#Optional_arguments
Ofcourse you can also do some streamstats count magic and create a field that simply counts and combine it with | search count != 1.