Splunk Search

First day of the month

taha13
Explorer

Hello ,

I have a job of this month,the problem is that in my histogram i always have thersday as first day

alt text

Tags (2)
0 Karma

niketnilay
Legend

@taha13 , since you are calculating date field from _time all other time fields are dependent on _time field itself. The approach you are using in query is a very expensive query. Refer to documentation for search optimization tips.

You should ideally use token from Time Picker in your search or use earliest and latest filters in your base search. If you want to run the search for the current month your snap to time should be as follows (run anywhere search based on Splunk's _internal index):

index="_internal" sourcetype="splunkd" log_level="ERROR" earliest=@mon latest=now
| timechart span=1d count

Following is Splunk Docs link with Examples of Snap To Time Modifiers

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

taha13
Explorer

This is my query `|loadjob savedsearch="a468413:ied:job_mois_encours"

|eval date = strftime(_time,"%Y-%m-%d")
| eval earliest_time_relative=relative_time(now(),"-0mon@mon")
| eval earliest_time = strftime(earliest_time_relative,"%Y-%m-%d")
| eval latest_time_relative=relative_time(now(),"-0d@d")
| eval latest_time = strftime(latest_time_relative,"%Y-%m-%d")
| where date == "-0mon@mon" OR (_time >= earliest_time_relative AND _time<=latest_time_relative)
`

I'im using loadjob ! where can i put the earliest and the latest? Or if there is just an edit in my query it's will be better for my code because i'm using this method for five dashboards

0 Karma

niketnilay
Legend

@taha13 are you using scheduled saved search in dashboard. If that is the case there will be limited number of results sent which are already saved. So there should be no impact of this kind of time filter that you are trying to apply on results.

However, when you run the search |loadjob savedsearch="a468413:ied:job_mois_encours", do you see the timestamps that you are interested in?

You should calculate earliest and latest time as epoch time (since it is on your dashboard you can use dummy search to perform this and apply direct filter based on `_time > earliestEpochTime and _time< latestEpochTime,

Refer to my previous Answer to get earliest and latest epoch time tokens from Time Picker: https://answers.splunk.com/answers/578984/running-one-of-two-searches-based-on-time-picker-s.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Your question is unclear.

1) Is this a weekly job? If so, what day do you want to be the first day of the week?

2) Please post a non-confidential version of the SPL (eliminating any parts that might be proprietary or PHI) that creates the report/chart that you show above. That way, we can help you fix your specific program

0 Karma

taha13
Explorer

i want the first day of month as first day

0 Karma

gcusello
Legend

hi taha13,
what's your time period 30 days (-30d@d / now) or from first day of this month (@mon / now)?
Try with earliest @mon latest now for current month or earliest -mon@mon latest @mon for last month.
Bye.
Giuseppe

0 Karma

taha13
Explorer

|eval date = strftime(_time,"%Y-%m-%d")
| eval earliest_time_relative=relative_time(now(),"-0mon@mon")
| eval earliest_time = strftime(earliest_time_relative,"%Y-%m-%d")
| eval latest_time_relative=relative_time(now(),"-0d@d")
| eval latest_time = strftime(latest_time_relative,"%Y-%m-%d")
| where date == "-0mon@mon" OR (_time >= earliest_time_relative AND _time<=latest_time_relative)

0 Karma