Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to search events from selected month?

naty
Path Finder
‎01-31-2017 05:54 AM

Hi,

i have a search that displays its result in a table in the following format:

Time Value
MM-YYYY HHHH
MM-YYYY HHHH
MM-YYYY HHHH
MM-YYYY HHHH

i want to make a drilldown so that when i click on one of the times, it would do a search on that month.

for example:
12-2016 1.12547

i click on the "12-2016" and i want to make a search that earliest=1st Dec 2016, latest=31st Dec 2016.

i can extract the month and the year from the clicked cell using substr, but the problem is that Splunk stores the months by name, so i have to convert "12" to "December" which costs me an eval.
this is how i extract the month and the year - eval temp=substr("12-2016",1,2),month=strftime(temp,"%B"),year=substr("12-2016",4,7)

this is my search:
index=myind source=mysrc | eval temp=substr("12-2016",1,2),month=strftime(temp,"%B"),year=substr("12-2016",4,7) | WHERE date_month==month AND date_year==year | do some more stuff...

Thank you for your help!!

0 Karma
Reply

somesoni2
Revered Legend
‎01-31-2017 07:43 AM

Assuming you're already setup a token say $selectedmonth$ based on the clicked month, we can set the time range of your drilldown search for whole of that month, something like this

index=myind source=mysrc [| gentimes start=-1 | eval earliest=relative_time(strptime("01-$selectedmonth$","%d-%m-%Y") | eval latest=relative_time(earliest,"+1mon") | table earliest latest ] | do some more stuff...
0 Karma
Reply

naty
Path Finder
‎01-31-2017 11:02 PM

Hi, thank you for your help.
i do have this token that it's value is in this syntax: MM-YYYY so it should work perfectly.
however, i have added these lines to my search but it has an error.

this is my search:
index=myind source=mysrc NOT DATETIME (PORT_NAME="P1" OR PORT_NAME="P2" OR PORT_NAME="P3" and some more ports) [|gentimes start=-1 | eval earliest=relative_time(strptime("01-12-2016","%d-%m-%Y"),"-1mon"), latest=relative_time(earliest,"+1mon") | table earliest latest ] | timechart span=1h avg(field) by PORT_NAME | addtotals row=true fieldname=rate |eval rate=rate/1024 | sort rate desc | eval Time=strftime(_time,"%d-%m-%Y") | table Time,rate

i get this error:
Error in 'search' command: Unable to parse the search: 'AND' operator is missing a clause on the left hand side

now i don't have an AND operator, but i assume it has something to do with these 2 added lines.
what correction should i make for the search to work?

0 Karma
Reply

somesoni2
Revered Legend
‎02-01-2017 07:15 AM

Yeah... I've seem this issue when you try to pass two or more values from the subsearch (doesn't come consistently). You just need to add | format "" "" "" "" "" "" at the end of the subsearch. like this

 index=myind source=mysrc [| gentimes start=-1 | eval earliest=relative_time(strptime("01-$selectedmonth$","%d-%m-%Y") | eval latest=relative_time(earliest,"+1mon") | table earliest latest | format "" "" "" "" "" "" ] | do some more stuff...
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...