Archive
Highlighted

Equivalent of '$' of bash in splunk

Explorer

Query:

search...| eval earliest=relativetime(strptime("01-February 2017","%d-%B %Y"),"+0mon"), latest=relativetime(earliest,"+1mon")|eventstats first(earliest) as earliest first(latest) as latest |makecontinuous d span=1d start=earliest end=latest | chart .....

This thing gives an error indicating it is not accepting earliest and latest field values.
How can I pass the values of earliest and latest here to makecontinuous

Tags (1)
0 Karma
Highlighted

Re: Equivalent of '$' of bash in splunk

Legend

@rishavvaidya, can you please explain how you are getting earliest value to your search? Do you have time picker input or is it some default times selected for search?

latest=relative_time(earliest,"+1mon")

Also is "01-February 2017" a fixed date for earliest?

Please clarify what you are trying to do ans what dashboard elements you currently have because from the description so far seems like there might be a better way create the search rather than what you are attempting.




| eval message="Happy Splunking!!!"


0 Karma
Highlighted

Re: Equivalent of '$' of bash in splunk

Explorer

@niketnilay

Thanks

Below is the original query that I am using...

index="idx" |eval d=replace(strptime(update,"%Y-%m-%d"),".\d+","")|eval date=strftime(d,"%B %Y")|where like(date,"February 2017%")|chart count as Count by d |makecontinuous d span=1d |fillnull|eval date=strftime(d,"%Y-%m-%d") | chart values(Count) as Count by date

here I am using "update" field as time field. And month I will get dynamically by passing token from the dropdowns.
My idea is to get the count of events on every day of the month . Even if the day has no event it should give it 0.

I'm using makecontinuous to do that but the issue with this is that it makes the dates continuous only from the first non zero event it finds.
Like if the first non zero event it find is on 3rd of month then it will make the days continuous from that day leaving 1st and 2nd day.

So I wanted to use start and end attributes of makecontinuous to make it forcibly start from first day of month. But they only take epoch values. So I tried to pass these values via fields with the below query in between. But it doesn't work. Tell me if there is any other way I can make my data continuous.

eval earliest=relativetime(strptime("01-February 2017","%d-%B %Y"),"+0mon"), latest=relativetime(earliest,"+1mon")|eventstats first(earliest) as earliest first(latest) as latest |makecontinuous d span=1d start=earliest end=latest


0 Karma
Highlighted

Re: Equivalent of '$' of bash in splunk

Explorer

I found a better way to make my chart continuous. It can be done by chart using span=1d and plotting it against _time.

View solution in original post

0 Karma