So I'm trying to get a search to pick events that have happened so far this month. Problem is, that I have to calculate the previous day's activity in the following day. So on Jan 2, I am calculating Jan 1st bandwidth usage. Then if I want to grab just January's events, then technically I need to grab events from Jan 2 to Feb 1, instead of Jan 1 to Jan 31.
Events look like this:
Dec 31 03:15:04 bandwidth_stats Date=2016-12-30, Download=37680.19, Upload=909.42, Total=38589.61
Jan 01 03:15:03 bandwidth_stats Date=2016-12-31, Download=9175.72, Upload=774.79, Total=9950.51
Jan 02 03:15:04 bandwidth_stats Date=2017-01-01, Download=6682.41, Upload=674.98, Total=7357.39
Jan 03 03:15:05 bandwidth_stats Date=2017-01-02, Download=8770.47, Upload=709.43, Total=9479.90
So let's assume that today in Jan 3rd, around noon. I want to pull just the events that are Month to date, so in reality that's only event 3 and 4. But it's also pulling event 2 that I don't want it to.
Time picker is set to Month to date.
Search query looks like this:
bandwidth_stats | eval _time=strptime(Date,"%Y-%m-%d")
What else can I do to make it pull just this month's events, based on the
Date field in the events?
Seems Splunk is picking up events based on this date - Jan 01 03:15:03 - rather than this one - Date=2016-12-31.
I think you have two options:
Customize date-time picker query to pick your original relative date + 1. Here is an example shows hot to pick events from last month + 1 day - 12/2 - 1/1 rather than 12/1-12/31:
| eval previousmonthbegin1 = relativetime(now(),"-1mon@mon")
| eval previousmonthbegin2 = relativetime(previousmonthbegin1, "+1d")
| eval "Previous Month Start" = strftime(previousmonthbegin2, "%B %d, %Y")
| eval previousmonthend1 = relativetime(now(),"@mon-1m")
| eval previousmonthend2 = relativetime(previousmonthend1, "+1d")
| eval "Previous Month End" = strftime(previousmonthend2, "%B %d, %Y")
| table "Previous Month Start", "Previous Month End"
Hope this helps. Thanks!
Oh boy, that seems super complicated. I think the lesser of two evils would be to customize the field extraction on the new data, as well as somehow modifying the existing data, if possible...
Try like this. Should select all the events available for this month and then filter to keep only events where Date field value belonged to this month.
index=foo sourcetype=bar earliest=@mon bandwidth_stats | eval _time=strptime(Date,"%Y-%m-%d") | where _time>=relative_time(now(),"@mon") |..rest of the search