Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to write timechart output that drops most recent week but keeps in the initial query?

tlmayes
Contributor
‎07-07-2022 04:47 PM

I have a query that must search 9 weeks of data, and then applies a filter against a single field (dv_opened_at) looking for specific events that occurred within an 8 week period.  Initial 9 week search is necessary to catch events that were modified after the end of the last week, yet had a dv_modified_at time within the last 8 weeks. 

query

 

 

index=cmdb (dv_number=* OR number=*)  dv_state=* dv_assigned_to[| inputlookup cmdb_users.csv| table dv_assigned_to ] earliest=-8w@w latest=now()
        | table _time number dv_number dv_opened_at dv_assigned_to dv_short_description dv_watch_list dv_sys_updated_on dv_state close_notes | dedup number
| eval dv_opened_at=strptime(dv_opened_at,"%Y-%m-%d %H:%M:%S") 
| where dv_opened_at>=relative_time(now(), "-8w@w") AND dv_opened_at<=relative_time(now(), "@w")
| eval _time=dv_opened_at
| bin _time span=1w
| eval weeknumber=strftime(_time,"%U")
| rename dv_assigned_to AS Analyst
| timechart limit=0 useother=false span=1w count BY Analyst

 

 

The problem is, the timechart outputs 9 weeks of data, and as expected the last week is all 0's.  How do I eliminate the current week from the output, but keep the current week in the initial query?

Output

 

 

_time	    Analyst1 Analyst2 Analyst3 Analyst4
2022-05-08 	19      6       0         0
2022-05-15	5       4       0         0
2022-05-22	8       2       0         1
2022-05-29	7       4       0         0
2022-06-05	1       3       1         39
2022-06-12	7       1       4         51
2022-06-19	3       2       0         59
2022-06-26	25      5       2         26
2022-07-03	0       0       0         0 #how to drop this row each weekly report

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-11-2022 05:47 AM 
| where _time < relative_time(now(),"@w")

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-07-2022 10:12 PM

timechart uses earliest and latest to determine what time range to use - update these on your search line to snap to the beginning of the week

... earliest=-8w@w latest=@w
0 Karma
Reply
Solved! Jump to solution

tlmayes
Contributor
‎07-11-2022 05:30 AM

cannot do this since doing so would eliminate the present week in the query.  Weird, but I need the present week in the query, but not in the output.

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-11-2022 05:47 AM 
| where _time < relative_time(now(),"@w")
Reply
Solved! Jump to solution

tlmayes
Contributor
‎07-11-2022 06:51 AM

Exactly.  This is what I was looking for.  Tried other variations but could not make it work.  Yours did.  Thanks

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎07-07-2022 09:40 PM

Just filter out the empty row. Something like

| where _time <now()-7*86400
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...