Need help..
Hi,
I can run a search for 7 days and do eval to get data for particular hour but that seems a costly operation.
I am thinking to get past hour value to some variable like abc= stfrtime(_time,@H) and assign to date_hour
date_hour=abc and do a search for past 7 days.
Not able to find any Splunk field to use. Able to
index=abc_core search_test=* earliest=-1h@h latest=-0h@h | stats count as TodayStats by search_test |join search_test [search index=abc_core search_test=* (earliest=-25h@h latest=-24h@h) OR (earliest=-49h@h latest=-48h@h) OR (earliest=-73h@h latest=-72h@h) OR (earliest=-97h@h latest=-96h@h) OR (earliest=-121h@h latest=-120h@h) OR (earliest=-145h@h latest=-144h@h) OR (earliest=-169h@h latest=-168h@h) | stats count(search_test) as Count by search_test | eval WeeklyAvg=round(Count/7,0) | eval WeeklyAvg75=(Count/7)*0.75| table client_app_id WeeklyAvg WeeklyAvg75]|
index=abc_core search_test=* earliest=-7d@d latest=now | eval abc=stfrtime(timestamp/1000,"%H) | where date_hour=abc
Need help to do simpler and efficient way ..
Basic requirement - Not to search for all 7 days data and do eval and condition , but need to give some query code upfront to search for only that hour.. Need to use as dynamic saved search to run every hour.
↧