Reporting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Time value shenanigans

elloyd4
Explorer
‎04-21-2021 01:18 PM

When I run this filter, I want splunk to give me a count per day based on the Month, day, and year of value  sys_created_on instead of any ticket that may have been touched that day, but created on another day. What am I doing wrong!?  I'm teaching myself and have at least made it this far. 

I just want to get a count per day for the sys_created_on value. I tell it to give me per day values in the time picker and it give me incidents that were not created on that day. 

 

 

 

SEARCH
| dedup dv_number
| table sys_created_on dv_number dv_u_username_id assignment_group_name dv_assigned_to dv_u_workstation_ci dv_cmdb_ci dv_u_location_1 description dv_close_notes u_last_3_worknotes dv_close_notes
| rename sys_created_on AS "Created On", dv_number AS "Incident Number", dv_u_username_id AS "Username", assignment_group_name AS "Assignment Group", dv_assigned_to AS "Assigned to", dv_u_workstation_ci AS "Workstation ID", dv_cmdb_ci AS "CI" dv_u_location_1 AS "Location", description AS "Description", dv_close_notes AS "Closing Notes", u_last_3_worknotes AS "Last 3 Work Notes", dv_close_notes AS "Closing Notes"
| sort by "Incident Number" desc

 

 

 



0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-21-2021 01:33 PM

The time picker looks only at the _time field, not sys_created_on or any other.  Any filtering on other time fields has to be done manually.  If sys_created_on is in epoch (integer) form then this may help.

SEARCH
| dedup dv_number
| addinfo
| where (sys_created_on >= info_min_time AND sys_created_on <= info_max_time
| table sys_created_on dv_number dv_u_username_id assignment_group_name dv_assigned_to dv_u_workstation_ci dv_cmdb_ci dv_u_location_1 description dv_close_notes u_last_3_worknotes dv_close_notes
| rename sys_created_on AS "Created On", dv_number AS "Incident Number", dv_u_username_id AS "Username", assignment_group_name AS "Assignment Group", dv_assigned_to AS "Assigned to", dv_u_workstation_ci AS "Workstation ID", dv_cmdb_ci AS "CI" dv_u_location_1 AS "Location", description AS "Description", dv_close_notes AS "Closing Notes", u_last_3_worknotes AS "Last 3 Work Notes", dv_close_notes AS "Closing Notes"
| sort by "Incident Number" desc

If sys_created_on is a text field ("04/21/2021", for example) then it must be converted to an integer using the strptime function.  That's left as a exercise for the reader.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...