Getting Data In

Time picker to pick month to date events with modified dates

bdf0506
Path Finder

So I'm trying to get a search to pick events that have happened so far this month. Problem is, that I have to calculate the previous day's activity in the following day. So on Jan 2, I am calculating Jan 1st bandwidth usage. Then if I want to grab just January's events, then technically I need to grab events from Jan 2 to Feb 1, instead of Jan 1 to Jan 31.

Events look like this:

  1. Dec 31 03:15:04 bandwidth_stats Date=2016-12-30, Download=37680.19, Upload=909.42, Total=38589.61
  2. Jan 01 03:15:03 bandwidth_stats Date=2016-12-31, Download=9175.72, Upload=774.79, Total=9950.51
  3. Jan 02 03:15:04 bandwidth_stats Date=2017-01-01, Download=6682.41, Upload=674.98, Total=7357.39
  4. Jan 03 03:15:05 bandwidth_stats Date=2017-01-02, Download=8770.47, Upload=709.43, Total=9479.90

So let's assume that today in Jan 3rd, around noon. I want to pull just the events that are Month to date, so in reality that's only event 3 and 4. But it's also pulling event 2 that I don't want it to.

Time picker is set to Month to date.

Search query looks like this:
bandwidth_stats | eval _time=strptime(Date,"%Y-%m-%d")

What else can I do to make it pull just this month's events, based on the Date field in the events?

0 Karma
1 Solution

somesoni2
Revered Legend

Try like this. Should select all the events available for this month and then filter to keep only events where Date field value belonged to this month.

index=foo sourcetype=bar earliest=@mon bandwidth_stats | eval _time=strptime(Date,"%Y-%m-%d") | where _time>=relative_time(now(),"@mon") |..rest of the search

View solution in original post

0 Karma

somesoni2
Revered Legend

Try like this. Should select all the events available for this month and then filter to keep only events where Date field value belonged to this month.

index=foo sourcetype=bar earliest=@mon bandwidth_stats | eval _time=strptime(Date,"%Y-%m-%d") | where _time>=relative_time(now(),"@mon") |..rest of the search
0 Karma

bdf0506
Path Finder

That works much better. Very clean to use as well, thanks.

0 Karma

hunters_splunk
Splunk Employee
Splunk Employee

Hi bdf0506,

Seems Splunk is picking up events based on this date - Jan 01 03:15:03 - rather than this one - Date=2016-12-31.

I think you have two options:

  • Customize field extraction to have Splunk extract Date=yyyy-mm-dd as the event date rather than the first date.
  • Customize date-time picker query to pick your original relative date + 1. Here is an example shows hot to pick events from last month + 1 day - 12/2 - 1/1 rather than 12/1-12/31:

    | makeresults
    | eval previous_month_begin_1 = relative_time(now(),"-1mon@mon")
    | eval previous_month_begin_2 = relative_time(previous_month_begin_1, "+1d")
    | eval "Previous Month Start" = strftime(previous_month_begin_2, "%B %d, %Y")
    | eval previous_month_end_1 = relative_time(now(),"@mon-1m")
    | eval previous_month_end_2 = relative_time(previous_month_end_1, "+1d")
    | eval "Previous Month End" = strftime(previous_month_end_2, "%B %d, %Y")
    | table "Previous Month Start", "Previous Month End"

Hope this helps. Thanks!
Hunter

0 Karma

bdf0506
Path Finder

Oh boy, that seems super complicated. I think the lesser of two evils would be to customize the field extraction on the new data, as well as somehow modifying the existing data, if possible...

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...