THis is my query i want to display a time chart where it should display the last 4week ( week by week) in a time chart which should display from now -last 4weeks
here is my query
index="@@$" | eval _time = Planned | where _time < relative_time(now(), "-4w@w") | timechart span=4w sum(Count) as Count
here Planned is a date field assume its converted into epochtime already
how to display the chart where the planned date should fetch only (- 4weeks - till now)
Please let me know if its possible
Awaiting for your response
if Planned is already in Epoch
index="@@$" | where Planned > relative_time(now(), "-4w@w") | eval _time = Planned| timechart span=1w sum(Count) as Count
your sign was saying that you wanted to grab data BEFORE four weeks ago, not AFTER four weeks ago. You could eval _time=Planned before your where statement, but if it's already in epoch, it shouldn't matter. Also, I changed the timechart to span 1 week at a time, instead of the 4 weeks in the original statement.
I think chart can be used directly with Planned as x-axis to skip eval to assign Planned as _time value.
index="@@$"
| where Planned > relative_time(now(), "-4w@w")
| chart span=1w sum(Count) as Count over Planned
| fieldformat Planned=strftime(Planned,"%Y/%m/%d")
Final fieldformat is to display Planned time as String Time while retaining value as epoch.
your comparison operator is backward - you would be getting events earlier than -4w rather than later than that.
i need to show the count of planned dates which should give me the dates from the last for weeks from today date . Hence i was assuming it as "-4w"
@rijinc - There's nothing wrong with that part, it's the comparison operator - you are only getting events BEFORE that date.
Hi
Try something like this
index="@@$" earliest=-4w@w latest=now
| timechart span=1w count
Bye.
Giuseppe
Hi cusello
I know this works
but as i am using a date field (Planned) this needs to fetch - 4 weeks from now
ok, try
index="@@$" earliest=-4w latest=now
| timechart span=1w count
Bye.
Giuseppe
what format is Planned in? Epoch? "mm/dd/YYYY HH:SS:MM"?
Yes its in Epoch Format "dd/mm/YYYY HH:SS:MM"
@rijinc
index="@@$" | eval _time = Planned | eval _time=strftime(_time,"%Y-%m-%d") | timechart span=4w sum(count) as Coun
just to add a comment quick that if you need to snap to a specific day of the week, you can do that too.
@w
is Sunday
@w1
is Monday
@w2
is Tuedasy
etc.
if you just want to go to 4 weeks ago from now, just write earliest=-4w