Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Match jobs

taha13
Explorer
‎03-14-2018 12:06 PM

So my question is:

I have jobs for each month (job for January, job for February ...), in my dashboard I have a filter on the period (month and year), for the month I is how to do it (I makes the call to the job corresponds to the month), but for the year , there is my problem, I do not know how I can display all the data (match those of January + February + March)

NB: I can't do a job on the year because of the large size of the data

Tags (2)
0 Karma
Reply

somesoni2
Revered Legend
‎03-14-2018 02:40 PM

What the search you're using right now? What the timerange you use for Month?

0 Karma
Reply

taha13
Explorer
‎03-15-2018 12:55 AM

This is what i'm using for each month ,for march (job name : job_mois_encours),and for february (job name :job_mois_fevrier_2018)

    <condition label="Mois en cours">
          <set token="earliest1_token">true</set>
          <set token="earliest_token">$value$</set>
          <set token="latest_token">true</set>
          <set token="time_token">true</set>
          <unset token="depends_token_1">true</unset>
          <unset token="depends_token_2">true</unset>
          <set token="depends_token_3">true</set>
          <unset token="depends_token_4">true</unset>
          <unset token="depends_token_5">true</unset>
          <unset token="depends_token_6">true</unset>
          <unset token="depends_token_7">true</unset>
          <unset token="depends_token_8">true</unset>
          <unset token="depends_token_9">true</unset>
          <set token="show_Data_Labels_token">all</set>
          <set token="token_span">$token_span3$</set>
          <!-- <set token="loadjob_token_job">job_mois_encours</set> -->
          <set token="loadjob_token_job">job_mois_encours</set>
        </condition>
        <condition label="Mois précédent">
          <set token="earliest1_token">$value$</set>
          <set token="earliest_token">true</set>
          <set token="latest_token">-0mon@mon</set>
          <set token="time_token">true</set>
          <unset token="depends_token_1">true</unset>
          <unset token="depends_token_2">true</unset>
          <unset token="depends_token_3">true</unset>
          <unset token="depends_token_4">true</unset>
          <unset token="depends_token_5">true</unset>
          <unset token="depends_token_6">true</unset>
          <unset token="depends_token_7">true</unset>
          <set token="depends_token_8">true</set>
          <unset token="depends_token_9">true</unset>
          <set token="show_Data_Labels_token">all</set>
          <set token="token_span">$token_span8$</set>
          <set token="loadjob_token_job">job_mois_fevrier_2018</set>
        </condition>

For this year ,this is the timerange that i use 

 <condition label="Année en cours">
          <set token="earliest1_token">true</set>
          <set token="earliest_token">$value$</set>
          <set token="latest_token">true</set>
          <set token="time_token">true</set>
          <unset token="depends_token">true</unset>
          <unset token="depends_token_1">true</unset>
          <unset token="depends_token_2">true</unset>
          <unset token="depends_token_3">true</unset>
          <set token="depends_token_4">true</set>
          <unset token="depends_token_5">true</unset>
          <unset token="depends_token_6">true</unset>
          <unset token="depends_token_7">true</unset>
          <unset token="depends_token_8">true</unset>
          <unset token="depends_token_9">true</unset>
          <set token="show_Data_Labels_token">all</set>
          <set token="token_span">$token_span4$</set>
        </condition>

And then n each panel,when i load the joabs ,i have

  |loadjob savedsearch="a468413:ied:$loadjob_token_job$"
           |eval date_time = strftime(_time,"%Y-%m-%d") 
              | eval earliest_time_relative=relative_time(now(),"$earliest_token$")
                | eval earliest_time = strftime(earliest_time_relative,"%Y-%m-%d")

                | eval earliest1_time_relative=relative_time(now(),"$earliest1_token$")
                | eval earliest1_time = strftime(earliest1_time_relative,"%Y-%m-%d")

                | eval latest_time_relative=relative_time(now(),"$latest_token$")
                | eval latest_time = strftime(latest_time_relative,"%Y-%m-%d")

                | eval date = strftime(_time,"%Y-%m-%d")
                | where date == "$time_token$" OR (date_time &gt;= earliest1_time AND latest_time &gt;= date_time) OR date_time&gt;= earliest_time
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...