Solved: Re: Discard results of one month / Time range adju...

anac · ‎09-07-2021

Hi all!

I would like to have only the results in orange and red until August. I don't want to show the September results, however since I am doing this query in September, it automatically appears September. I think the problem is the time range, but I don't know how to fix this. Help please!

This is my query:

index=events *....*
earliest=-1y@y latest=+1y@y
| timechart span=1mon count by *...*
| timewrap y

This is the column chart that i'm getting:

Legend is:

Blue and green - results from 2020

Orange and red - results from 2021

Thanks a lot!

ITWhisperer · ‎09-07-2021

index=events *....*
earliest=-1y@y latest=+1y@y
| timechart span=1mon count by *...*
| where relative_time(now(),"@mon")>_time
| timewrap y

View solution in original post

PickleRick · ‎09-07-2021

Simply

earliest=-1y@y latest=@m | [...] |timewrap year

Won't work? (Writing on my phone, don't have a splunk instance nearby to check)

ITWhisperer · ‎09-07-2021

@PickleRick This doesn't fit with the OP requirement which is to start the chart in January and end in December

PickleRick · ‎09-07-2021

Won't timewrap with a year period take care of it? Just asking, as I wrote I don't have a splunk installation at hand to check it. (I'm sitting in a dentist waiting room with my wife 😆)

ITWhisperer · ‎09-07-2021

The issue isn't with timewrap, it is with timechart - timechart will generate values for _time from earliest until latest, so you need to set latest to be the end of the year because the rhs of the chart is based on latest i.e. December, and everything works backwards from there.

PickleRick · ‎09-07-2021

I checked and you're right - it won't work. But the isssue _is_ with timewrap. You can make timechart skip non-full buckets at the end of the period (so few days of september would get ignored) but unfortunately timewrap works backwards from either "latest" or "now". There's no option to make timewrap start from "earliest" as far as I can see.

ITWhisperer · ‎09-07-2021

index=events *....*
earliest=-1y@y latest=+1y@y
| timechart span=1mon count by *...*
| where relative_time(now(),"@mon")>_time
| timewrap y

anac · ‎09-07-2021

Thank you so much! That solved my problem!

anac · ‎09-07-2021

And I would like to keep the column chart with the months in order - starting in January and ending in December. Only the columns and colors would indicate the year.

anac · ‎09-07-2021

Hi!!

Thank you, but it doesn't.
Please see screenshots of column chart and table below. It is missing information (& months) from 2020.
Also, Legend remains the same. It is weird that the results from 2020 (blue and green) stop.

richgalloway · ‎09-07-2021

Have you tried setting latest to the beginning of the current month?

index=events *....* earliest=-1y@y latest=@mon
| timechart span=1mon count by *...*
| timewrap y

---
If this reply helps you, Karma would be appreciated.

Discard results of one month / Time range adjusted?

chart

timechart

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!