topic Re: Restricting timechart to smaller set of days than search in Splunk Search

Restricting timechart to smaller set of days than search

DEADBEEF — Mon, 19 Feb 2024 21:02:21 GMT

I have a timechart that shows the last 30d and with the timechart I also have a trendline showing the sma7. The problem is that on the timechart, the trendline doesn't show anything for days 1-6, which I understand is because there is no data from the previous days for the sma7 to calculate.

I thought that the solution could be to change my search for the last 37d and then only timechart days 7-37d (if that makes sense) but can't seem to figure out how to implement that or if that is even a possible solution.

Existing search

index=palo eventtype=user_logon earliest=-37d@d | bin span=1d _time | timechart count(eval(like(user_auth, "%-Compliant"))) as compliant count as total | eval compliant=round(((compliant/total)*100),2) | trendline sma7(compliant) as compliant7sma | eval compliant7sma=round(compliant7sma,2) | table _time, compliant, compliant7sma

Re: Restricting timechart to smaller set of days than search

bowesmana — Mon, 19 Feb 2024 23:11:49 GMT

Not sure if this is what you're trying to do, but you can always 'remove' the dates you don't want with a where clause

If compliant7sma field does not exist for the first 6 days, then just add

| where isnotnull(compliant7sma)

at the end, or to do it on a time based filter

| where _time>=relative_time(now(), "-30d@d")

Re: Restricting timechart to smaller set of days than search

bowesmana — Mon, 19 Feb 2024 23:12:36 GMT

Also note that you don't need bin + timechart as you can simply do

| timechart span=1d...

Re: Restricting timechart to smaller set of days than search

DEADBEEF — Mon, 19 Feb 2024 23:19:44 GMT

Yes, I was looking for that where statement. My mistake, I tried using |search which didn't work. Thanks!