Splunk Search

How to dynamically exclude a value for a day in a graph if the day is incomplete?


If I have a search for using earliest and latest, say 1st of Dec 16 to 1st Feb 2017, this will draw a graph.
But if I look at the graph today Dec 15th of 2016, the graph will look fine up until Dec 15th 2016 as this date will be incomplete, so the graph will show a drop on this date.

Is there a way to dynamically not include this incomplete date?

Example of my search
... earliest=1480503600 latest=1485860400...

One way is to change the value of that cell for that day(change it to '' or 0, whichever works), but as I said above I am looking for a dynamic way of doing this

## change value of a column
eval tcheck=strptime("2016-12-15","%F") |
eval "Column Name"=if(_time==tcheck,'','Column Name') |

graph showing the incomplete day value in the graph that I want to remove

0 Karma


First, is there a reason that you have to specify the search timerange in epoch time?
It is much easier to use relative time notation:

earliest=-14d@d latest=@d

Note the use of "@d", which means "snap to." By specifying latest as "@d", I am saying "at the beginning of today" - or midnight.
Using this notation means that I will never retrieve data for a partial day. The relative time modifiers are discussed in the Search Manual" under Time Modifiers.

While it is most efficient to simply eliminate unwanted events in the base search, you can also eliminate "partial time bins" in the timechart command. For example:

| timechart partial=f span=1d count by status

will eliminate any partial days from the timechart. Note that this eliminates partial days at both ends of the time range.

0 Karma


tks, I cannot use the relative time notation earliest=-14d@d latest=@d if I want to achieve these set/fixed dates 1st of Dec 16 to 1st Feb 2017, every day the graph is viewed, or maybe I am mistaken.

I tried partial=f but that did not seem to make a difference. The value for the incomplete day is still there.

Given this method that I mentioned above:

eval tcheck=strptime("2016-12-15","%F") |
eval "Column Name"=if(_time==tcheck,'','Column Name') |

If I could somehow make this 2016-12-15 a dynamic variable that always evaluates to the current date when view the graph, then this way I could remove the value for the incomplete day. Which is what I want

0 Karma