Solved: Iam trying to get data from "30-Oct-23" but its st...

krishna1 · ‎11-05-2023

| eval lastmodifiedWeek=strftime(epoc_last_modified,"%Y-%V")

FelixLeh · ‎11-06-2023

If you want to see only data that is before the 30th the following line does not make sense:

| eval timeline2=relative_time(timeline1,"-1w@w1")

The data is correct but since you reduce the timeline date by 1 week it shows 23rd October instead of 30th..
Its purely visual though. The data does not change because of this command since you are not filtering against the time of the events after the change.
Just remove this line and the data should be correct

Additionally I'd suggest using the same time conversion.
Converting weeks with %V starts at count 1 while doing it with %U starts at 0. You are using both in the same Query.

| eval lastmodifiedWeek=strftime(epoc_last_modified,"%Y-%U")

|eval timeline="30-Oct-23"
| eval timeline_date=strptime(timeline,"%d-%b-%y")
|eval new_timeline=strftime(timeline_date,"%Y-%U")
|where lastmodifiedWeek<=new_timeline

| stats count by Lookup lastmodifiedWeek
| eval timeline1 = strptime(lastmodifiedWeek." 1", "%Y-%U %w")
| eval timeline = strftime(timeline1, "%Y-%m-%d")
| table timeline , Lookup count
|chart values(count) as count over timeline by Lookup |fillnull value=0 |tail 4 |reverse

If I missundestood you and you want the data that comes after the 30th then you'd additionally have to change the "where" line to the following:

|where lastmodifiedWeek>=new_timeline

View solution in original post

FelixLeh · ‎11-06-2023

If you want to see only data that is before the 30th the following line does not make sense:

| eval timeline2=relative_time(timeline1,"-1w@w1")

The data is correct but since you reduce the timeline date by 1 week it shows 23rd October instead of 30th..
Its purely visual though. The data does not change because of this command since you are not filtering against the time of the events after the change.
Just remove this line and the data should be correct

Additionally I'd suggest using the same time conversion.
Converting weeks with %V starts at count 1 while doing it with %U starts at 0. You are using both in the same Query.

| eval lastmodifiedWeek=strftime(epoc_last_modified,"%Y-%U")

|eval timeline="30-Oct-23"
| eval timeline_date=strptime(timeline,"%d-%b-%y")
|eval new_timeline=strftime(timeline_date,"%Y-%U")
|where lastmodifiedWeek<=new_timeline

| stats count by Lookup lastmodifiedWeek
| eval timeline1 = strptime(lastmodifiedWeek." 1", "%Y-%U %w")
| eval timeline = strftime(timeline1, "%Y-%m-%d")
| table timeline , Lookup count
|chart values(count) as count over timeline by Lookup |fillnull value=0 |tail 4 |reverse

If I missundestood you and you want the data that comes after the 30th then you'd additionally have to change the "where" line to the following:

|where lastmodifiedWeek>=new_timeline

krishna1 · ‎11-08-2023

Thanks, Its working

ITWhisperer · ‎11-06-2023

Your where command is excluding events which are earlier than 30-Oct-23, which is why you are seeing no data from then.

Iam trying to get data from "30-Oct-23" but its starting from "23-Oct-23".Could anyone please suggest change in my query

New This Month - Splunk Observability updates and improvements for faster ...

What's New in Splunk Cloud Platform 9.3.2411?

Buttercup Games: Further Dashboarding Techniques (Part 6)