Hello,
I'm trying to use Timewrap command dynamically. Indeed, in the documentation, it is written you can filter the date:
.... | timechart count span=1h | timewrap w | where strftime(_time, "%A") == "Wednesday"
This works on my data set, but when I want "Wednesday" to be "the day it was 1 hour before from now", it doesn't work. Here is what I do:
| timechart count span=1h | eval time_lasthour=relative_time(now(), "-1h@h" ) | eval day_lasthour=strftime(time_lasthour,"%A") | timewrap w | where strftime(_time, "%A") == day_lasthour
Although the variable "day_lasthour" contains the right day, it isn't applied in the WHERE clause... Any idea to make the variable "day_lasthour" work in the WHERE clause ?
Thank you
↧