Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to write timechart output that drops most recent week but keeps in the initial query?

tlmayes
Contributor
‎07-07-2022 04:47 PM

I have a query that must search 9 weeks of data, and then applies a filter against a single field (dv_opened_at) looking for specific events that occurred within an 8 week period.  Initial 9 week search is necessary to catch events that were modified after the end of the last week, yet had a dv_modified_at time within the last 8 weeks. 

query

 

 

index=cmdb (dv_number=* OR number=*)  dv_state=* dv_assigned_to[| inputlookup cmdb_users.csv| table dv_assigned_to ] earliest=-8w@w latest=now()
        | table _time number dv_number dv_opened_at dv_assigned_to dv_short_description dv_watch_list dv_sys_updated_on dv_state close_notes | dedup number
| eval dv_opened_at=strptime(dv_opened_at,"%Y-%m-%d %H:%M:%S") 
| where dv_opened_at>=relative_time(now(), "-8w@w") AND dv_opened_at<=relative_time(now(), "@w")
| eval _time=dv_opened_at
| bin _time span=1w
| eval weeknumber=strftime(_time,"%U")
| rename dv_assigned_to AS Analyst
| timechart limit=0 useother=false span=1w count BY Analyst

 

 

The problem is, the timechart outputs 9 weeks of data, and as expected the last week is all 0's.  How do I eliminate the current week from the output, but keep the current week in the initial query?

Output

 

 

_time	    Analyst1 Analyst2 Analyst3 Analyst4
2022-05-08 	19      6       0         0
2022-05-15	5       4       0         0
2022-05-22	8       2       0         1
2022-05-29	7       4       0         0
2022-06-05	1       3       1         39
2022-06-12	7       1       4         51
2022-06-19	3       2       0         59
2022-06-26	25      5       2         26
2022-07-03	0       0       0         0 #how to drop this row each weekly report

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-11-2022 05:47 AM 
| where _time < relative_time(now(),"@w")

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-07-2022 10:12 PM

timechart uses earliest and latest to determine what time range to use - update these on your search line to snap to the beginning of the week

... earliest=-8w@w latest=@w
0 Karma
Reply
Solved! Jump to solution

tlmayes
Contributor
‎07-11-2022 05:30 AM

cannot do this since doing so would eliminate the present week in the query.  Weird, but I need the present week in the query, but not in the output.

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-11-2022 05:47 AM 
| where _time < relative_time(now(),"@w")
Reply
Solved! Jump to solution

tlmayes
Contributor
‎07-11-2022 06:51 AM

Exactly.  This is what I was looking for.  Tried other variations but could not make it work.  Yours did.  Thanks

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎07-07-2022 09:40 PM

Just filter out the empty row. Something like

| where _time <now()-7*86400
0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...