Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Iam trying to get data from "30-Oct-23" but its starting from "23-Oct-23".Could anyone please suggest change in my query

krishna1
Explorer
‎11-05-2023 10:47 PM

| eval lastmodifiedWeek=strftime(epoc_last_modified,"%Y-%V")

|eval timeline="30-Oct-23"
| eval timeline_date=strptime(timeline,"%d-%b-%y")
|eval new_timeline=strftime(timeline_date,"%Y-%V")
|where lastmodifiedWeek<=new_timeline
|join max=0 type=left current_ticket_state [|inputlookup weekly_status_state_mapping.csv|rename Status as current_ticket_state|table current_ticket_state Lookup]

| stats count by Lookup lastmodifiedWeek
| eval timeline1 = strptime(lastmodifiedWeek." 1", "%Y-%U %w")
| eval timeline2=relative_time(timeline1,"-1w@w1")
| eval timeline = strftime(timeline2, "%Y-%m-%d")
| table timeline , Lookup count
|chart values(count) as count over timeline by Lookup |fillnull value=0 |tail 4 |reverse



krishna1_0-1699252995057.png

 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

FelixLeh
Contributor
‎11-06-2023 01:26 AM

If you want to see only data that is before the 30th the following line does not make sense:

 

| eval timeline2=relative_time(timeline1,"-1w@w1")

 

The data is correct but since you reduce the timeline date by 1 week it shows 23rd October instead of 30th.. 
Its purely visual though. The data does not change because of this command since you are not filtering against the time of the events after the change.
Just remove this line and the data should be correct

Additionally I'd suggest using the same time conversion.
Converting weeks with %V starts at count 1 while doing it with %U starts at 0. You are using both in the same Query.

 

| eval lastmodifiedWeek=strftime(epoc_last_modified,"%Y-%U")

|eval timeline="30-Oct-23"
| eval timeline_date=strptime(timeline,"%d-%b-%y")
|eval new_timeline=strftime(timeline_date,"%Y-%U")
|where lastmodifiedWeek<=new_timeline

| stats count by Lookup lastmodifiedWeek
| eval timeline1 = strptime(lastmodifiedWeek." 1", "%Y-%U %w")
| eval timeline = strftime(timeline1, "%Y-%m-%d")
| table timeline , Lookup count
|chart values(count) as count over timeline by Lookup |fillnull value=0 |tail 4 |reverse

 

If I missundestood you and you want the data that comes after the 30th then you'd additionally have to change the "where" line to the following:

 

|where lastmodifiedWeek>=new_timeline

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

FelixLeh
Contributor
‎11-06-2023 01:26 AM

If you want to see only data that is before the 30th the following line does not make sense:

 

| eval timeline2=relative_time(timeline1,"-1w@w1")

 

The data is correct but since you reduce the timeline date by 1 week it shows 23rd October instead of 30th.. 
Its purely visual though. The data does not change because of this command since you are not filtering against the time of the events after the change.
Just remove this line and the data should be correct

Additionally I'd suggest using the same time conversion.
Converting weeks with %V starts at count 1 while doing it with %U starts at 0. You are using both in the same Query.

 

| eval lastmodifiedWeek=strftime(epoc_last_modified,"%Y-%U")

|eval timeline="30-Oct-23"
| eval timeline_date=strptime(timeline,"%d-%b-%y")
|eval new_timeline=strftime(timeline_date,"%Y-%U")
|where lastmodifiedWeek<=new_timeline

| stats count by Lookup lastmodifiedWeek
| eval timeline1 = strptime(lastmodifiedWeek." 1", "%Y-%U %w")
| eval timeline = strftime(timeline1, "%Y-%m-%d")
| table timeline , Lookup count
|chart values(count) as count over timeline by Lookup |fillnull value=0 |tail 4 |reverse

 

If I missundestood you and you want the data that comes after the 30th then you'd additionally have to change the "where" line to the following:

 

|where lastmodifiedWeek>=new_timeline

 

0 Karma
Reply
Solved! Jump to solution

krishna1
Explorer
‎11-08-2023 03:16 AM

Thanks, Its working

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-06-2023 01:21 AM

Your where command is excluding events which are earlier than 30-Oct-23, which is why you are seeing no data from then.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...