Splunk Search

First day of the month

Explorer

Hello ,

I have a job of this month,the problem is that in my histogram i always have thersday as first day

alt text

Tags (2)
0 Karma

SplunkTrust
SplunkTrust

@taha13 , since you are calculating date field from _time all other time fields are dependent on _time field itself. The approach you are using in query is a very expensive query. Refer to documentation for search optimization tips.

You should ideally use token from Time Picker in your search or use earliest and latest filters in your base search. If you want to run the search for the current month your snap to time should be as follows (run anywhere search based on Splunk's _internal index):

index="_internal" sourcetype="splunkd" log_level="ERROR" earliest=@mon latest=now
| timechart span=1d count

Following is Splunk Docs link with Examples of Snap To Time Modifiers

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Explorer

This is my query `|loadjob savedsearch="a468413:ied:jobmoisencours"

|eval date = strftime(time,"%Y-%m-%d")
| eval earliest
timerelative=relativetime(now(),"-0mon@mon")
| eval earliesttime = strftime(earliesttimerelative,"%Y-%m-%d")
| eval latest
timerelative=relativetime(now(),"-0d@d")
| eval latesttime = strftime(latesttimerelative,"%Y-%m-%d")
| where date == "-0mon@mon" OR (
time >= earliesttimerelative AND time<=latesttime_relative)
`

I'im using loadjob ! where can i put the earliest and the latest? Or if there is just an edit in my query it's will be better for my code because i'm using this method for five dashboards

0 Karma

SplunkTrust
SplunkTrust

@taha13 are you using scheduled saved search in dashboard. If that is the case there will be limited number of results sent which are already saved. So there should be no impact of this kind of time filter that you are trying to apply on results.

However, when you run the search |loadjob savedsearch="a468413:ied:job_mois_encours", do you see the timestamps that you are interested in?

You should calculate earliest and latest time as epoch time (since it is on your dashboard you can use dummy search to perform this and apply direct filter based on `_time > earliestEpochTime and _time< latestEpochTime,

Refer to my previous Answer to get earliest and latest epoch time tokens from Time Picker: https://answers.splunk.com/answers/578984/running-one-of-two-searches-based-on-time-picker-s.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

SplunkTrust
SplunkTrust

Your question is unclear.

1) Is this a weekly job? If so, what day do you want to be the first day of the week?

2) Please post a non-confidential version of the SPL (eliminating any parts that might be proprietary or PHI) that creates the report/chart that you show above. That way, we can help you fix your specific program

0 Karma

Explorer

i want the first day of month as first day

0 Karma

Legend

hi taha13,
what's your time period 30 days (-30d@d / now) or from first day of this month (@mon / now)?
Try with earliest @mon latest now for current month or earliest -mon@mon latest @mon for last month.
Bye.
Giuseppe

0 Karma

Explorer

|eval date = strftime(time,"%Y-%m-%d")
| eval earliest
timerelative=relativetime(now(),"-0mon@mon")
| eval earliesttime = strftime(earliesttimerelative,"%Y-%m-%d")
| eval latest
timerelative=relativetime(now(),"-0d@d")
| eval latesttime = strftime(latesttimerelative,"%Y-%m-%d")
| where date == "-0mon@mon" OR (
time >= earliesttimerelative AND time<=latesttime_relative)

0 Karma