Dashboards & Visualizations

How to create a timechart for the first of each month?

annisha26
Explorer

I'm trying to create a timechart at intervals of one month however the below code produces the sum of the entire month, I want the value on the 1st of each month, please let me know any solutions to get value any alternate to span to get intervals as on

2022-10-01
2022-09-01
2022-08-01

`source=all_month.csv place=*alaska* mag>=3.5 | timechart span=mon@mon1 count BY mag` 

 

(index="sales") | fillnull value="undefined"| bucket _time span=mon@mon1
| chart count by _time stock

Labels (2)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @annisha26,

in the main search add (if present) the field date_mday="1".

Then use timechart instead chart:

(index="sales") date_mday="1"
| fillnull value="undefined"
| timechart span=mon@mon1 count BY stock

if you haven't this field, you can extract:

(index="sales") 
| eval date_mday=strftime(_time,"m")
| search date_mday="1"
| fillnull value="undefined"
| timechart span=mon@mon1 count BY stock

Ciao.

Giuseppe

 

 

Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...