Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to start a timechart on a dashboard on Monday without earliest and latest?

ErikaE
Communicator
‎09-04-2015 08:24 AM

I have a timechart on a dashboard that sums Things by Description* with a span of a week. Since my first Thing event is on a Thursday, my week seems to run Thursday to Thursday on the timechart. If a different chart on the same dashboard has its first Thing event on a Tuesday, it will start on Tuesday.

I've looked at other questions that used earliest, and tried something like earliest=-3y@w1, which does snap everything to Monday. Unfortunately, it also plots a bunch of blank space to the left of all my data in the timechart. I can work around that by using chart instead of timechart: 

source=* earliest=-3y@w1 | reverse | bin _time span=1w | eval time=strftime(_time, "%m-%d-%y") | chart sum(Thing) by time,Description

Which will work great for all time, but will not work if there is a time picker on the dash board, since the earliest in the search will override the time picker.

Also, the chart renders with white space between columns for Description, time combos where there are no Things. I'd like to get rid of that white space, without stacking the columns.

*I am only able to provide generalized examples of my data

Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎09-04-2015 09:52 AM

If you want to snap your timerange from monday (@w1) but still want to respect the user selection via time range picker, try something like this (using a subsearch to generate earliest based on time range picker)

source=* [| gentimes start=-1 | addinfo | eval earliest=relative_time(info_min_time,"@w1") | table earliest ] | reverse | bin _time span=1w | eval time=strftime(_time, "%m-%d-%y") | chart sum(Thing) by time,Description

Where,
gentimes - just to add one single row placeholder
addinfo - adds timerange picker values (search timerange) in epoch to the search result. Main fields added is info_min_time(earliest) and info_max_time(latest)

Update
To handle all times

Since with all time, earliest will be 0 (epoch lowest value supported by Splunk ) i.e. Thu, 01 Jan 1970 GMT, relative time @w1 would not exist. Try this workaround for the same (to consider next monday Mon, 05 Jan 1970

source=* [| gentimes start=-1 | addinfo | eval info_min_time=if(info_min_time=0,604800,info_min_time)| eval earliest=relative_time(info_min_time,"@w1") | table earliest ] | reverse | bin _time span=1w | eval time=strftime(_time, "%m-%d-%y") | chart sum(Thing) by time,Description

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎09-04-2015 09:52 AM

If you want to snap your timerange from monday (@w1) but still want to respect the user selection via time range picker, try something like this (using a subsearch to generate earliest based on time range picker)

source=* [| gentimes start=-1 | addinfo | eval earliest=relative_time(info_min_time,"@w1") | table earliest ] | reverse | bin _time span=1w | eval time=strftime(_time, "%m-%d-%y") | chart sum(Thing) by time,Description

Where,
gentimes - just to add one single row placeholder
addinfo - adds timerange picker values (search timerange) in epoch to the search result. Main fields added is info_min_time(earliest) and info_max_time(latest)

Update
To handle all times

Since with all time, earliest will be 0 (epoch lowest value supported by Splunk ) i.e. Thu, 01 Jan 1970 GMT, relative time @w1 would not exist. Try this workaround for the same (to consider next monday Mon, 05 Jan 1970

source=* [| gentimes start=-1 | addinfo | eval info_min_time=if(info_min_time=0,604800,info_min_time)| eval earliest=relative_time(info_min_time,"@w1") | table earliest ] | reverse | bin _time span=1w | eval time=strftime(_time, "%m-%d-%y") | chart sum(Thing) by time,Description
Reply
Solved! Jump to solution

ErikaE
Communicator
‎09-08-2015 12:28 PM

The update does not appear to be working for all time. Previous month, previous year, etc still start weeks on Monday with the updated code.

I can't get the gentimes search to work on its own in a search, so I can't check the if statements. Any suggestions there? Do I need to debug in a dashboard panel?

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎09-08-2015 02:25 PM

You can run the search like this as regular search

| gentimes start=-1 | addinfo | eval info_min_time=if(info_min_time=0,43200,info_min_time)| eval earliest=relative_time(info_min_time,"@w1")
0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎09-08-2015 02:30 PM

I think the timezone of yours may be making the adjustment 43200 not sufficient enough to get to first monday. So I updated 43200 (5 days) with 604800 (7 days) to be sure. I tested and it works fine. Answer updated.

0 Karma
Reply
Solved! Jump to solution

ErikaE
Communicator
‎09-10-2015 01:23 PM

Thank you so much for your help. This now works great for chart visualizations, but does not work for timecharts. In that case, you'd be better off using a small window of time and earliest like @woodcock suggested, or his custom time picker code.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎09-04-2015 10:48 AM

I should have thought of that (addinfo + relative_time); very nice.

0 Karma
Reply
Solved! Jump to solution

ErikaE
Communicator
‎09-08-2015 10:11 AM

Works great, unless the selection is all time.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎09-08-2015 12:14 PM

Try the updated answer to manage all times as well.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎09-04-2015 09:00 AM

The reason that earliest=-3y@w1 plots a bunch of blank space to the left of all your data in the timechart is because of the -3y part which means go back 3 years! Change it to something more reasonable like -1m@w1 which goes back 1 month and maybe that is all you need. The snap-to Monday part is the @w1 portion. Also, you surely don't need to use reverse.

0 Karma
Reply
Solved! Jump to solution

ErikaE
Communicator
‎09-04-2015 09:06 AM

This is exactly the problem -- I want to look at the history from an arbitrary start date to an arbitrary end date, or by relative time pickers like previous week, previous month, previous quarter. If I have something like -1m@w1 and my user picks previous quarter, they'll only see one month of data.

-3y is long but will ensure that I never mislead myself by overriding the time picker with something hidden under the hood in the search string.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎09-04-2015 09:34 AM

Why don't you skip the time-picker and have your own drop down with the values you like that maps to the first part of the earliest value? You could have:

<input type="dropdown" token="span_token">
  <label>Span Picker</label>
  <choice value="-1w">Last Week</choice>
  <choice value="-1mon">Last Month</choice>
  <choice value="-1q">Last Quarter</choice>
  <choice value="-1y">Last Year</choice>
  <default>Last Week</default>
</input>

Then you use earliest=$span_token$@w1 in your search.

0 Karma
Reply
Solved! Jump to solution

ErikaE
Communicator
‎09-08-2015 10:12 AM

This would go in the XML code for the dashboard?

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎09-10-2015 03:27 PM

Yes, exactly.

0 Karma
Reply
Get Updates on the Splunk Community!

Incident Response: Reduce Incident Recurrence with Automated Ticket Creation

Culture extends beyond work experience and coffee roast preferences on software engineering teams. Team ...

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 2)

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Index This | I am a number but I am countless. What am I?

January 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  Happy New Year! We’re ...