Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to select Year-Month from a search output 3 months ahead ?

promukh
Path Finder
‎10-07-2020 02:21 PM

Hello Experts,

I have the below output for a splunk search, i only want to display "Year-Month" rows 3 months ahead of current Year-Month..

YearMonthUpper95(Prediction)
Sep 20205
Oct 202011
Nov 202015
Dec 202018
Jan 202021
Feb 202023
Mar 202026

 

I only want to display  the row - Year-Month -- " Jan 2021  " from the above output  ? 

If the current YearMonth is November-2020 , i want to display the row  -- " Feb 2021 "

Any Help appreciated 

 

Thanks

 

 

Labels (3)
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎10-07-2020 03:00 PM

See this using your example - in your data, I believe you meant to use 2021, not 2020 for Jan/Feb/Mar

| makeresults 
| eval _raw="YearMonth,Upper95(Prediction)
Sep 2020,5
Oct 2020,11
Nov 2020,15
Dec 2020,18
Jan 2021,21
Feb 2021,23
Mar 2021,26"
| multikv forceheader=1
| table YearMonth Upper*
| eval COMMENT="------ YOU WANT FROM THIS LINE BELOW ------"
| eval rowMonth=strptime("01 ".YearMonth, "%d %b %Y")
| eval wantedMonth=relative_time(now(), "+3mon@mon")
| where rowMonth=wantedMonth
| table YearMonth Upper*

Hope this helps

 

Reply

promukh
Path Finder
‎10-07-2020 03:20 PM

Thank You  , i was able to figure it out using below eval expression 

eval time_select=strftime(relative_time(now(), "+3mon"), "%b %Y") | where YearMonth=time_select

Reply

bowesmana
SplunkTrust
SplunkTrust
‎10-07-2020 03:53 PM

@promukh 

Your relative time statement should use snap to month, as some dates will not work as expected, for example on 2020-11-30 if you do your solution, it will result in Mar 2021, not Feb 2021 as I expect you need.

So, use @mon

eval time_select=strftime(relative_time(now(), "+3mon@mon"), "%b %Y")

 to ensure you get Feb 2021

Reply

promukh
Path Finder
‎10-08-2020 07:14 AM

thank you  @bowesmana  will add the suggested change.

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...