Splunk time-modifiers relative to the time-picker -
i have splunk query returns 3 event types. i'd "start" type events set time-picker , i'd "stop" , "portal" events driven time-picker plus or minus 2 days @ each end. example, if choose 2nd aug "start" events i'd return 1st 3rd august "stop" , "portal" events. ideas?
thanks in advance.
index=50 (type="start" , termination_cause!="resumed" {date range a}) or (type="stop" , termination_cause!="suspect-logout" {date-range b}) or (type="portal" view="portalview_process_*" {date range c})
Comments
Post a Comment