Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Iam trying to get data from "30-Oct-23" but its starting from "23-Oct-23".Could anyone please suggest change in my query

krishna1
Explorer
‎11-05-2023 10:47 PM

| eval lastmodifiedWeek=strftime(epoc_last_modified,"%Y-%V")

|eval timeline="30-Oct-23"
| eval timeline_date=strptime(timeline,"%d-%b-%y")
|eval new_timeline=strftime(timeline_date,"%Y-%V")
|where lastmodifiedWeek<=new_timeline
|join max=0 type=left current_ticket_state [|inputlookup weekly_status_state_mapping.csv|rename Status as current_ticket_state|table current_ticket_state Lookup]

| stats count by Lookup lastmodifiedWeek
| eval timeline1 = strptime(lastmodifiedWeek." 1", "%Y-%U %w")
| eval timeline2=relative_time(timeline1,"-1w@w1")
| eval timeline = strftime(timeline2, "%Y-%m-%d")
| table timeline , Lookup count
|chart values(count) as count over timeline by Lookup |fillnull value=0 |tail 4 |reverse



krishna1_0-1699252995057.png

 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

FelixLeh
Contributor
‎11-06-2023 01:26 AM

If you want to see only data that is before the 30th the following line does not make sense:

 

| eval timeline2=relative_time(timeline1,"-1w@w1")

 

The data is correct but since you reduce the timeline date by 1 week it shows 23rd October instead of 30th.. 
Its purely visual though. The data does not change because of this command since you are not filtering against the time of the events after the change.
Just remove this line and the data should be correct

Additionally I'd suggest using the same time conversion.
Converting weeks with %V starts at count 1 while doing it with %U starts at 0. You are using both in the same Query.

 

| eval lastmodifiedWeek=strftime(epoc_last_modified,"%Y-%U")

|eval timeline="30-Oct-23"
| eval timeline_date=strptime(timeline,"%d-%b-%y")
|eval new_timeline=strftime(timeline_date,"%Y-%U")
|where lastmodifiedWeek<=new_timeline

| stats count by Lookup lastmodifiedWeek
| eval timeline1 = strptime(lastmodifiedWeek." 1", "%Y-%U %w")
| eval timeline = strftime(timeline1, "%Y-%m-%d")
| table timeline , Lookup count
|chart values(count) as count over timeline by Lookup |fillnull value=0 |tail 4 |reverse

 

If I missundestood you and you want the data that comes after the 30th then you'd additionally have to change the "where" line to the following:

 

|where lastmodifiedWeek>=new_timeline

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

FelixLeh
Contributor
‎11-06-2023 01:26 AM

If you want to see only data that is before the 30th the following line does not make sense:

 

| eval timeline2=relative_time(timeline1,"-1w@w1")

 

The data is correct but since you reduce the timeline date by 1 week it shows 23rd October instead of 30th.. 
Its purely visual though. The data does not change because of this command since you are not filtering against the time of the events after the change.
Just remove this line and the data should be correct

Additionally I'd suggest using the same time conversion.
Converting weeks with %V starts at count 1 while doing it with %U starts at 0. You are using both in the same Query.

 

| eval lastmodifiedWeek=strftime(epoc_last_modified,"%Y-%U")

|eval timeline="30-Oct-23"
| eval timeline_date=strptime(timeline,"%d-%b-%y")
|eval new_timeline=strftime(timeline_date,"%Y-%U")
|where lastmodifiedWeek<=new_timeline

| stats count by Lookup lastmodifiedWeek
| eval timeline1 = strptime(lastmodifiedWeek." 1", "%Y-%U %w")
| eval timeline = strftime(timeline1, "%Y-%m-%d")
| table timeline , Lookup count
|chart values(count) as count over timeline by Lookup |fillnull value=0 |tail 4 |reverse

 

If I missundestood you and you want the data that comes after the 30th then you'd additionally have to change the "where" line to the following:

 

|where lastmodifiedWeek>=new_timeline

 

0 Karma
Reply
Solved! Jump to solution

krishna1
Explorer
‎11-08-2023 03:16 AM

Thanks, Its working

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-06-2023 01:21 AM

Your where command is excluding events which are earlier than 30-Oct-23, which is why you are seeing no data from then.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...