Solved: How do I create a timechart by month, but starting...

markgandolfo · ‎02-01-2016

Hi,

I'm trying to timechart by month, but starting at the 15th of the month. I've looked for "offsets", but I can't seem to find anything helpful.

Can someone point me in the correct direction?

Thanks
Mark

javiergn · ‎02-01-2016

This is what I've tried and seems to be working fine but I've only got two months worth of data so ...

index=_internal
| eval mytime = if(date_mday<=15, _time, _time+(15*24*60*60))
| bucket mytime span=1mon
| eval month = strftime(mytime, "%B")
| chart count over mytime by month
| eval mytime = "Mid-" . strftime(mytime, "%B")

View solution in original post

fdi01 · ‎02-01-2016

try like :

your_base_search ... date_mday>=15| timechart span=1months count

example:

index = _internal date_mday>=15| timechart span=1months count

javiergn · ‎02-01-2016

This is what I've tried and seems to be working fine but I've only got two months worth of data so ...

index=_internal
| eval mytime = if(date_mday<=15, _time, _time+(15*24*60*60))
| bucket mytime span=1mon
| eval month = strftime(mytime, "%B")
| chart count over mytime by month
| eval mytime = "Mid-" . strftime(mytime, "%B")

chimell · ‎02-01-2016

Hi
try this example and tell if it help you

 index=_internal  |timechart count by date_month where (date_mday>=15 and date_mday=<31)

How do I create a timechart by month, but starting with the 15th day of the month? (15th - 14th)

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!