I used this code recently in a Splunk dashboard where i needed to have multple time ranges from one seachTemplate search. This code you can use in a searchPostProcess element to change the time range (in this case to 'yesterday')
eval ADayAgo=now()-86400 | eval yesterdayText=strftime(ADayAgo,"%Y-%m-%d") | eval yesterdayTextEnd=yesterdayText. " 23:59:59" | eval endEpoc=strptime(yesterdayTextEnd,"%Y-%m-%d %H:%M:%S") | where _time >endEpoc-86400 and _time <=endEpoc
No comments:
Post a Comment