https://community.splunk.com/t5/Splunk-Search/time-span-query/m-p/651739#M225291 <P>i get an error message with that&nbsp;</P><P><SPAN>Error in 'timewrap' command: Option 'span=1y' is invalid.</SPAN></P> Mon, 24 Jul 2023 09:39:19 GMT PaulaCom 2023-07-24T09:39:19Z https://community.splunk.com/t5/Splunk-Search/time-span-query/m-p/651719#M225287 <P>Hi All&nbsp;</P><P>I'd like some help please with a query thats been asked of me and its a little out of my depth&nbsp;</P><P>the current below query shows year total of helpdesk calls by year&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="PaulaCom_0-1690188777402.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/26426i585FCD669479DDEE/image-size/medium?v=v2&amp;px=400" role="button" title="PaulaCom_0-1690188777402.png" alt="PaulaCom_0-1690188777402.png" /></span></P><P>&nbsp;</P><P>index=mmuh_helpdesk sourcetype=mmuh_helpdesk_json<BR />| dedup id<BR />| fillnull value=NULL<BR />| search "problemtype.detailDisplayName"!=*AGRESSO*<BR />| eval problem_detail='problemtype.detailDisplayName'<BR />| eval problem_detail=replace(problem_detail, "&amp;#8226","")<BR />| eval problem_detail=replace(problem_detail, ";","|")<BR />| eval techGroupLevel = 'techGroupLevel.levelName'<BR />| eval techGroupLevel = replace(techGroupLevel, "&amp;nbsp;"," ")<BR />| eval techGroupLevel = replace(techGroupLevel, " ","")<BR />| eval techGroupLevel = replace(techGroupLevel, "Level"," Level")<BR />| eval location_Name = 'location.locationName'<BR />| eval status = 'statustype.statusTypeName'<BR />| eval priority = 'prioritytype.priorityTypeName'<BR />| eval techGroupId = 'techGroupLevel.id'<BR />| eval tech_Name = 'clientTech.displayName'<BR />| top limit=20 date_year<BR />| search date_year IN(2020,2021,2022,2023)<BR />| eval sort=case(date_year=="2020", "02", date_year=="2021","03", date_year=="2022","04", date_year=="2023","05")<BR />| sort sort<BR />| fields - sort<BR />| fields - percent<BR />| eval Year=case(date_year=="2020", "Y 2020", date_year=="2021", "Y 2021", date_year=="2022", "Y 2022", date_year=="2023", "Y 2023")<BR />| table Year count</P><P>i would now like to show years only 2021 and 2022 in line chart&nbsp;</P><P>but ... i would like each year to have a separate line&nbsp;</P><P>if possible i'd like the time span for each year to be broken into a month&nbsp;</P><P>i can get this with the time picker (previous year chosen) and following query below for 2022</P><P>index=mmuh_helpdesk sourcetype=mmuh_helpdesk_json<BR />| dedup id<BR />| fillnull value=NULL<BR />| search "problemtype.detailDisplayName"!=*AGRESSO*<BR />| eval problem_detail='problemtype.detailDisplayName'<BR />| eval problem_detail=replace(problem_detail, "&amp;#8226","")<BR />| eval problem_detail=replace(problem_detail, ";","|")<BR />| eval techGroupLevel = 'techGroupLevel.levelName'<BR />| eval techGroupLevel = replace(techGroupLevel, "&amp;nbsp;"," ")<BR />| eval techGroupLevel = replace(techGroupLevel, " ","")<BR />| eval techGroupLevel = replace(techGroupLevel, "Level"," Level")<BR />| eval location_Name = 'location.locationName'<BR />| eval status = 'statustype.statusTypeName'<BR />| eval priority = 'prioritytype.priorityTypeName'<BR />| eval techGroupId = 'techGroupLevel.id'<BR />| eval tech_Name = 'clientTech.displayName'<BR />| timechart span=1mon count(id)</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="PaulaCom_1-1690189256677.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/26427iFACB1AB42BEC89C2/image-size/medium?v=v2&amp;px=400" role="button" title="PaulaCom_1-1690189256677.png" alt="PaulaCom_1-1690189256677.png" /></span></P><P>&nbsp;</P><P>&nbsp;how can i get both years show ?</P><P>thank you&nbsp;</P><P><span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 24 Jul 2023 09:04:36 GMT https://community.splunk.com/t5/Splunk-Search/time-span-query/m-p/651719#M225287 PaulaCom 2023-07-24T09:04:36Z https://community.splunk.com/t5/Splunk-Search/time-span-query/m-p/651727#M225288 <P>Try something like this</P><P>&nbsp;</P><LI-CODE lang="markup">index=mmuh_helpdesk sourcetype=mmuh_helpdesk_json earliest=-2y@y latest=@y | dedup id | fillnull value=NULL | search "problemtype.detailDisplayName"!=*AGRESSO* | eval problem_detail='problemtype.detailDisplayName' | eval problem_detail=replace(problem_detail, "&amp;#8226","") | eval problem_detail=replace(problem_detail, ";","|") | eval techGroupLevel = 'techGroupLevel.levelName' | eval techGroupLevel = replace(techGroupLevel, "&amp;nbsp;"," ") | eval techGroupLevel = replace(techGroupLevel, " ","") | eval techGroupLevel = replace(techGroupLevel, "Level"," Level") | eval location_Name = 'location.locationName' | eval status = 'statustype.statusTypeName' | eval priority = 'prioritytype.priorityTypeName' | eval techGroupId = 'techGroupLevel.id' | eval tech_Name = 'clientTech.displayName' | timechart span=1mon count(id) | timewrap 1y</LI-CODE><P>&nbsp;</P> Mon, 24 Jul 2023 12:27:56 GMT https://community.splunk.com/t5/Splunk-Search/time-span-query/m-p/651727#M225288 ITWhisperer 2023-07-24T12:27:56Z https://community.splunk.com/t5/Splunk-Search/time-span-query/m-p/651739#M225291 <P>i get an error message with that&nbsp;</P><P><SPAN>Error in 'timewrap' command: Option 'span=1y' is invalid.</SPAN></P> Mon, 24 Jul 2023 09:39:19 GMT https://community.splunk.com/t5/Splunk-Search/time-span-query/m-p/651739#M225291 PaulaCom 2023-07-24T09:39:19Z https://community.splunk.com/t5/Splunk-Search/time-span-query/m-p/651747#M225295 <P>Try without span=</P><LI-CODE lang="markup">| timewrap 1y</LI-CODE> Mon, 24 Jul 2023 10:06:00 GMT https://community.splunk.com/t5/Splunk-Search/time-span-query/m-p/651747#M225295 ITWhisperer 2023-07-24T10:06:00Z https://community.splunk.com/t5/Splunk-Search/time-span-query/m-p/651757#M225300 <P>thank you that worked&nbsp;</P> Mon, 24 Jul 2023 11:30:55 GMT https://community.splunk.com/t5/Splunk-Search/time-span-query/m-p/651757#M225300 PaulaCom 2023-07-24T11:30:55Z https://community.splunk.com/t5/Splunk-Search/time-span-query/m-p/651760#M225301 <P>I updated my response accordingly.</P> Mon, 24 Jul 2023 12:28:32 GMT https://community.splunk.com/t5/Splunk-Search/time-span-query/m-p/651760#M225301 ITWhisperer 2023-07-24T12:28:32Z