Splunk Search

Discard results of one month / Time range adjusted?

anac
Explorer

Hi all!

I would like to have only the results in orange and red until August. I don't want to show the September results, however since I am doing this query in September, it automatically appears September. I think the problem is the time range, but I don't know how to fix this. Help please!

This is my query:

index=events *....*
earliest=-1y@y latest=+1y@y
| timechart span=1mon count by *...*
| timewrap y

This is the column chart that i'm getting:

Captura de ecrã 2021-09-07, às 15.00.09.png

Legend is:

Blue and green - results from 2020

Orange and red - results from 2021

 

Thanks a lot!

Labels (2)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
index=events *....*
earliest=-1y@y latest=+1y@y
| timechart span=1mon count by *...*
| where relative_time(now(),"@mon")>_time
| timewrap y

View solution in original post

PickleRick
Ultra Champion

Simply

earliest=-1y@y latest=@m | [...] |timewrap year

Won't work? (Writing on my phone, don't have a splunk instance nearby to check)

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

@PickleRick This doesn't fit with the OP requirement which is to start the chart in January and end in December

0 Karma

PickleRick
Ultra Champion

Won't timewrap with a year period take care of it? Just asking, as I wrote I don't have a splunk installation at hand to check it. (I'm sitting in a dentist waiting room with my wife 😆)

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

The issue isn't with timewrap, it is with timechart - timechart will generate values for _time from earliest until latest, so you need to set latest to be the end of the year because the rhs of the chart is based on latest i.e. December, and everything works backwards from there.

PickleRick
Ultra Champion

I checked and you're right - it won't work. But the isssue _is_ with timewrap. You can make timechart skip non-full buckets at the end of the period (so few days of september would get ignored) but unfortunately timewrap works backwards from either "latest" or "now". There's no option to make timewrap start from "earliest" as far as I can see.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
index=events *....*
earliest=-1y@y latest=+1y@y
| timechart span=1mon count by *...*
| where relative_time(now(),"@mon")>_time
| timewrap y

anac
Explorer

Thank you so much! That solved my problem!

0 Karma

anac
Explorer

And I would like to keep the column chart with the months in order - starting in January and ending in December. Only the columns and colors would indicate the year.

0 Karma

anac
Explorer

Hi!!

Thank you, but it doesn't. 
Please see screenshots of column chart and table below. It is missing information (& months) from 2020.
Also, Legend remains the same. It is weird that the results from 2020 (blue and green) stop.
Captura de ecrã 2021-09-07, às 15.38.20.pngCaptura de ecrã 2021-09-07, às 15.38.30.png

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Have you tried setting latest to the beginning of the current month?

index=events *....* earliest=-1y@y latest=@mon
| timechart span=1mon count by *...*
| timewrap y

 

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...

Reminder! Splunk Love Promo: $25 Visa Gift Card for Your Honest SOAR Review With ...

We recently launched our first Splunk Love Special, and it's gone phenomenally well, so we're doing it again, ...