Solved: How to edit timestamp to one day previously?

jackreeves · ‎05-15-2018

I have a report running in SPLUNK on a daily basis. The timestamp for this report is the "Report Date" field (i.e. today). However, the events are actually from the previous day.

Therefore am I able to run a calculation either in the config file or at search time for ("Report Date"-1d@d). This would then mean the events are timestamped for the correct day.

Thanks in advance.

mayurr98 · ‎05-15-2018

Oh, I deleted it cause I thought that it would not work for you.

index=diags sourcetype=diags_assigned_gdc 
| timechart span=1d dc(Call No) as "Assigned" 
| rename _time as time 
| eval time=strftime(time-86400,"%Y-%m-%d")

Please accept it if it works for you.

View solution in original post

mayurr98 · ‎05-15-2018

Oh, I deleted it cause I thought that it would not work for you.

index=diags sourcetype=diags_assigned_gdc 
| timechart span=1d dc(Call No) as "Assigned" 
| rename _time as time 
| eval time=strftime(time-86400,"%Y-%m-%d")

Please accept it if it works for you.

jackreeves · ‎05-15-2018

Works perfectly. How would this work using chart command? Where Date is following format "Y/m/d" & is not the timestamp?

Search:
index=diags sourcetype=diags_closed_gdc
| chart dc(Call No) as "Closures" over "Category" by "Date" useother=f limit=100

Thanks,
Jack

mayurr98 · ‎05-15-2018

Try this

index=diags sourcetype=diags_closed_gdc 
| eval Date=strftime(strptime(Date,"%Y/%m/%d")-86400,"%Y/%m/%d") 
| chart dc(Call No) as "Closures" over "Category" by "Date" useother=f limit=100

jackreeves · ‎05-15-2018

Again that has worked perfectly!

Thank you so much for your help.

jackreeves · ‎05-15-2018

index=diags sourcetype=diags_assigned
| timechart span=1d dc(Call No) as "Assigned"

This will provide me with following data for previous 7 days:
15/05/2018
14/05/2018
13/05/2018
12/05/2018
11/05/2018
10/05/2018
09/05/2018

However really the data for the 15/05/2018 should be 14/05/2018 & 14/05/2018 should be 13/05/2018 and so on. Essentially changing _time to -1d@d

mayurr98 · ‎05-15-2018

can you provide search query?

jackreeves · ‎05-15-2018

@mayurr98 - bizarrely can't see your latest comment but it has worked a charm 🙂

Answer:
index=diags sourcetype=diags_assigned_gdc
| timechart span=1d dc(Call No) as "Assigned"
| rename _time as time
| eval time=strftime(time-86400,"%Y-%m-%d")

Thanks both for your help

jackreeves · ‎05-15-2018

index=diags sourcetype=diags_assigned_gdc
| timechart span=1d dc(Call No) as "Assigned"

However the timestamp is always one day in the future (i.e. 15/05/2018 should really be 14/05/2018). This is because I am using a "Report Date" field in my data, when the events are always -1d@d behind.

niketn · ‎05-15-2018

@jackreeves, if your current Time picker selection is Today i.e. earliest=@d and latest=now, you should change it to

earliest=-1d@d and latest=-1d@s

Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

How to edit timestamp to one day previously?

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

Explore the Latest Educational Offerings from Splunk (November Releases)

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...