Hi all!
I would like to have only the results in orange and red until August. I don't want to show the September results, however since I am doing this query in September, it automatically appears September. I think the problem is the time range, but I don't know how to fix this. Help please!
This is my query:
index=events *....*
earliest=-1y@y latest=+1y@y
| timechart span=1mon count by *...*
| timewrap y
This is the column chart that i'm getting:
Legend is:
Blue and green - results from 2020
Orange and red - results from 2021
Thanks a lot!
index=events *....*
earliest=-1y@y latest=+1y@y
| timechart span=1mon count by *...*
| where relative_time(now(),"@mon")>_time
| timewrap y
Simply
earliest=-1y@y latest=@m | [...] |timewrap year
Won't work? (Writing on my phone, don't have a splunk instance nearby to check)
@PickleRick This doesn't fit with the OP requirement which is to start the chart in January and end in December
Won't timewrap with a year period take care of it? Just asking, as I wrote I don't have a splunk installation at hand to check it. (I'm sitting in a dentist waiting room with my wife 😆)
The issue isn't with timewrap, it is with timechart - timechart will generate values for _time from earliest until latest, so you need to set latest to be the end of the year because the rhs of the chart is based on latest i.e. December, and everything works backwards from there.
I checked and you're right - it won't work. But the isssue _is_ with timewrap. You can make timechart skip non-full buckets at the end of the period (so few days of september would get ignored) but unfortunately timewrap works backwards from either "latest" or "now". There's no option to make timewrap start from "earliest" as far as I can see.
index=events *....*
earliest=-1y@y latest=+1y@y
| timechart span=1mon count by *...*
| where relative_time(now(),"@mon")>_time
| timewrap y
Thank you so much! That solved my problem!
And I would like to keep the column chart with the months in order - starting in January and ending in December. Only the columns and colors would indicate the year.
Hi!!
Thank you, but it doesn't.
Please see screenshots of column chart and table below. It is missing information (& months) from 2020.
Also, Legend remains the same. It is weird that the results from 2020 (blue and green) stop.
Have you tried setting latest to the beginning of the current month?
index=events *....* earliest=-1y@y latest=@mon
| timechart span=1mon count by *...*
| timewrap y