I would like to have only the results in orange and red until August. I don't want to show the September results, however since I am doing this query in September, it automatically appears September. I think the problem is the time range, but I don't know how to fix this. Help please!
This is my query:
| timechart span=1mon count by *...*
| timewrap y
This is the column chart that i'm getting:
Blue and green - results from 2020
Orange and red - results from 2021
Thanks a lot!
Won't timewrap with a year period take care of it? Just asking, as I wrote I don't have a splunk installation at hand to check it. (I'm sitting in a dentist waiting room with my wife 😆)
The issue isn't with timewrap, it is with timechart - timechart will generate values for _time from earliest until latest, so you need to set latest to be the end of the year because the rhs of the chart is based on latest i.e. December, and everything works backwards from there.
I checked and you're right - it won't work. But the isssue _is_ with timewrap. You can make timechart skip non-full buckets at the end of the period (so few days of september would get ignored) but unfortunately timewrap works backwards from either "latest" or "now". There's no option to make timewrap start from "earliest" as far as I can see.
Thank you, but it doesn't.
Please see screenshots of column chart and table below. It is missing information (& months) from 2020.
Also, Legend remains the same. It is weird that the results from 2020 (blue and green) stop.
Have you tried setting latest to the beginning of the current month?
index=events *....* earliest=-1y@y latest=@mon | timechart span=1mon count by *...* | timewrap y