How to create a timechart for the first of each mo...

annisha26 · ‎10-10-2022

I'm trying to create a timechart at intervals of one month however the below code produces the sum of the entire month, I want the value on the 1st of each month, please let me know any solutions to get value any alternate to span to get intervals as on

2022-10-01
2022-09-01
2022-08-01

`source=all_month.csv place=*alaska* mag>=3.5 | timechart span=mon@mon1 count BY mag`

(index="sales") | fillnull value="undefined"| bucket _time span=mon@mon1
| chart count by _time stock

gcusello · ‎10-10-2022

Hi @annisha26,

in the main search add (if present) the field date_mday="1".

Then use timechart instead chart:

(index="sales") date_mday="1"
| fillnull value="undefined"
| timechart span=mon@mon1 count BY stock

if you haven't this field, you can extract:

(index="sales") 
| eval date_mday=strftime(_time,"m")
| search date_mday="1"
| fillnull value="undefined"
| timechart span=mon@mon1 count BY stock

Ciao.

Giuseppe

How to create a timechart for the first of each month?

chart

timechart

Splunk Observability for AI

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Splunk Observability as Code: From Zero to Dashboard

Are you a member of the Splunk Community?