Reporting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Time value shenanigans

elloyd4
Explorer
‎04-21-2021 01:18 PM

When I run this filter, I want splunk to give me a count per day based on the Month, day, and year of value  sys_created_on instead of any ticket that may have been touched that day, but created on another day. What am I doing wrong!?  I'm teaching myself and have at least made it this far. 

I just want to get a count per day for the sys_created_on value. I tell it to give me per day values in the time picker and it give me incidents that were not created on that day. 

 

 

 

SEARCH
| dedup dv_number
| table sys_created_on dv_number dv_u_username_id assignment_group_name dv_assigned_to dv_u_workstation_ci dv_cmdb_ci dv_u_location_1 description dv_close_notes u_last_3_worknotes dv_close_notes
| rename sys_created_on AS "Created On", dv_number AS "Incident Number", dv_u_username_id AS "Username", assignment_group_name AS "Assignment Group", dv_assigned_to AS "Assigned to", dv_u_workstation_ci AS "Workstation ID", dv_cmdb_ci AS "CI" dv_u_location_1 AS "Location", description AS "Description", dv_close_notes AS "Closing Notes", u_last_3_worknotes AS "Last 3 Work Notes", dv_close_notes AS "Closing Notes"
| sort by "Incident Number" desc

 

 

 



0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-21-2021 01:33 PM

The time picker looks only at the _time field, not sys_created_on or any other.  Any filtering on other time fields has to be done manually.  If sys_created_on is in epoch (integer) form then this may help.

SEARCH
| dedup dv_number
| addinfo
| where (sys_created_on >= info_min_time AND sys_created_on <= info_max_time
| table sys_created_on dv_number dv_u_username_id assignment_group_name dv_assigned_to dv_u_workstation_ci dv_cmdb_ci dv_u_location_1 description dv_close_notes u_last_3_worknotes dv_close_notes
| rename sys_created_on AS "Created On", dv_number AS "Incident Number", dv_u_username_id AS "Username", assignment_group_name AS "Assignment Group", dv_assigned_to AS "Assigned to", dv_u_workstation_ci AS "Workstation ID", dv_cmdb_ci AS "CI" dv_u_location_1 AS "Location", description AS "Description", dv_close_notes AS "Closing Notes", u_last_3_worknotes AS "Last 3 Work Notes", dv_close_notes AS "Closing Notes"
| sort by "Incident Number" desc

If sys_created_on is a text field ("04/21/2021", for example) then it must be converted to an integer using the strptime function.  That's left as a exercise for the reader.

---
If this reply helps you, Karma would be appreciated.
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...