Splunk Search

Equivalent of '$' of bash in splunk

rishavvaidya
Explorer

Query:

search...| eval earliest=relative_time(strptime("01-February 2017","%d-%B %Y"),"+0mon"), latest=relative_time(earliest,"+1mon")|eventstats first(earliest) as earliest first(latest) as latest |makecontinuous d span=1d start=earliest end=latest | chart .....

This thing gives an error indicating it is not accepting earliest and latest field values.
How can I pass the values of earliest and latest here to makecontinuous

Tags (1)
0 Karma
1 Solution

rishavvaidya
Explorer

I found a better way to make my chart continuous. It can be done by chart using span=1d and plotting it against _time.

View solution in original post

0 Karma

rishavvaidya
Explorer

I found a better way to make my chart continuous. It can be done by chart using span=1d and plotting it against _time.

0 Karma

niketn
Legend

@rishavvaidya, can you please explain how you are getting earliest value to your search? Do you have time picker input or is it some default times selected for search?

latest=relative_time(earliest,"+1mon")

Also is "01-February 2017" a fixed date for earliest?

Please clarify what you are trying to do ans what dashboard elements you currently have because from the description so far seems like there might be a better way create the search rather than what you are attempting.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

rishavvaidya
Explorer

@niketn

Thanks

Below is the original query that I am using...

index="idx" |eval d=replace(strptime(update,"%Y-%m-%d"),".\d+","")|eval date=strftime(d,"%B %Y")|where like(date,"February 2017%")|chart count as Count by d |makecontinuous d span=1d |fillnull|eval date=strftime(d,"%Y-%m-%d") | chart values(Count) as Count by date

here I am using "update" field as time field. And month I will get dynamically by passing token from the dropdowns.
My idea is to get the count of events on every day of the month . Even if the day has no event it should give it 0.

I'm using makecontinuous to do that but the issue with this is that it makes the dates continuous only from the first non zero event it finds.
Like if the first non zero event it find is on 3rd of month then it will make the days continuous from that day leaving 1st and 2nd day.

So I wanted to use start and end attributes of makecontinuous to make it forcibly start from first day of month. But they only take epoch values. So I tried to pass these values via fields with the below query in between. But it doesn't work. Tell me if there is any other way I can make my data continuous.

eval earliest=relative_time(strptime("01-February 2017","%d-%B %Y"),"+0mon"), latest=relative_time(earliest,"+1mon")|eventstats first(earliest) as earliest first(latest) as latest |makecontinuous d span=1d start=earliest end=latest


0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...