Solved: How to ignore the most recent X number of events f...

jboustead · ‎11-16-2020

Hi

Is there a search command that will ignore the most recent X number of events for each day whilst using a Timechart command?

Thanks

rnowitzki · ‎11-16-2020

Hi @jboustead ,

Before you run the timechart, add this:

|  streamstats count as remove_trigger by date_mday  reset_on_change=true
|  where remove_trigger>3

This would remove the 3 latest/most recent events per day.

Make sure it works if the month changes in the events (and you have 2 different days with "1" as date_mday for example), because I am not sure. You would have to add the month to the streamstats maybe.

Hope it helps.
BR

Ralph

--
Karma and/or Solution tagging appreciated.

View solution in original post

rnowitzki · ‎11-16-2020

Hi @jboustead ,

Before you run the timechart, add this:

|  streamstats count as remove_trigger by date_mday  reset_on_change=true
|  where remove_trigger>3

This would remove the 3 latest/most recent events per day.

Make sure it works if the month changes in the events (and you have 2 different days with "1" as date_mday for example), because I am not sure. You would have to add the month to the streamstats maybe.

Hope it helps.
BR

Ralph

--
Karma and/or Solution tagging appreciated.

How to ignore the most recent X number of events from a search for each day with Timechart command

Splunk Observability as Code: From Zero to Dashboard

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Shape the Future of Splunk: Join the Product Research Lab!

Are you a member of the Splunk Community?

How to ignore the most recent X number of events from a search for each day with Timechart command

Splunk Observability as Code: From Zero to Dashboard

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Shape the Future of Splunk: Join the Product Research Lab!