Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Query to fetch current month Date ,previous 3 months date and future one month date from indexed data

Ashwini008
Builder
‎01-12-2021 11:43 PM

Hi,

I have around 1000 events in my indexed data. I have to create a DATE dropdown which pulls and shows all the dates of CURRENT MONTH,PREVIOUS 3 MONTHS AND 1 FUTURE MONTH DATE.

How do i write a query for this?

P.S: My Date is not index_time/_time.It is sharepoint data which i am indexing it in splunk

Thanks in Advance! Happy New year!

 

Query used to fetch DATE field and ProdDate is in yyyy-mm-dd format(2021-01-09)

index = splunk  sourcetype = splunk-sp | spath | fields m:properties_date | rename "m:properties_date" as "ProdDate" | dedup ProdDate | eval temp=split(ProdDate,"T") | eval ProdDate=mvindex(temp, 0) |table ProdDate

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎01-13-2021 09:39 AM

I don't understand our requirement either. Having said that, I think you should dedup last. Also, if you are interested in months rather than dates you could try

index = splunk  sourcetype = splunk-sp
| spath
| rex field=m:properties_date "(?<ProdDate>\d{4}-\d{2})-\d{2}T"
| dedup ProdDate
| table ProdDate

 Do you then need to select current month, 3 months previous and next month from these results? Why can't you just generate these based on now()?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-13-2021 05:58 AM

I don't understand the problem.  You have a query already.  What are you trying to do that the query doesn't do?

Are you saying your index has data 1 month into the future?  Why?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Ashwini008
Builder
‎01-13-2021 03:15 AM

@woodcock @richgalloway @Anonymous @ITWhisperer @inventsekar  any suggestions please?

0 Karma
Reply

General_Talos
Path Finder
‎01-13-2021 12:11 AM

If you are building dashboard, I am not sure if you checked details captured by @niketn in below mentioned post.

 

https://community.splunk.com/t5/Dashboards-Visualizations/Jquery-datepicker-in-splunk/m-p/361049

 

0 Karma
Reply

Ashwini008
Builder
‎01-13-2021 01:42 AM

@General_Talos  I am not using Datepicker. My requirement is to capture the the dates from my field PRODdate(this is not index time/_time). 

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...