Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to write timechart output that drops most recent week but keeps in the initial query?

tlmayes
Contributor
‎07-07-2022 04:47 PM

I have a query that must search 9 weeks of data, and then applies a filter against a single field (dv_opened_at) looking for specific events that occurred within an 8 week period.  Initial 9 week search is necessary to catch events that were modified after the end of the last week, yet had a dv_modified_at time within the last 8 weeks. 

query

 

 

index=cmdb (dv_number=* OR number=*)  dv_state=* dv_assigned_to[| inputlookup cmdb_users.csv| table dv_assigned_to ] earliest=-8w@w latest=now()
        | table _time number dv_number dv_opened_at dv_assigned_to dv_short_description dv_watch_list dv_sys_updated_on dv_state close_notes | dedup number
| eval dv_opened_at=strptime(dv_opened_at,"%Y-%m-%d %H:%M:%S") 
| where dv_opened_at>=relative_time(now(), "-8w@w") AND dv_opened_at<=relative_time(now(), "@w")
| eval _time=dv_opened_at
| bin _time span=1w
| eval weeknumber=strftime(_time,"%U")
| rename dv_assigned_to AS Analyst
| timechart limit=0 useother=false span=1w count BY Analyst

 

 

The problem is, the timechart outputs 9 weeks of data, and as expected the last week is all 0's.  How do I eliminate the current week from the output, but keep the current week in the initial query?

Output

 

 

_time	    Analyst1 Analyst2 Analyst3 Analyst4
2022-05-08 	19      6       0         0
2022-05-15	5       4       0         0
2022-05-22	8       2       0         1
2022-05-29	7       4       0         0
2022-06-05	1       3       1         39
2022-06-12	7       1       4         51
2022-06-19	3       2       0         59
2022-06-26	25      5       2         26
2022-07-03	0       0       0         0 #how to drop this row each weekly report

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-11-2022 05:47 AM 
| where _time < relative_time(now(),"@w")

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-07-2022 10:12 PM

timechart uses earliest and latest to determine what time range to use - update these on your search line to snap to the beginning of the week

... earliest=-8w@w latest=@w
0 Karma
Reply
Solved! Jump to solution

tlmayes
Contributor
‎07-11-2022 05:30 AM

cannot do this since doing so would eliminate the present week in the query.  Weird, but I need the present week in the query, but not in the output.

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-11-2022 05:47 AM 
| where _time < relative_time(now(),"@w")
Reply
Solved! Jump to solution

tlmayes
Contributor
‎07-11-2022 06:51 AM

Exactly.  This is what I was looking for.  Tried other variations but could not make it work.  Yours did.  Thanks

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎07-07-2022 09:40 PM

Just filter out the empty row. Something like

| where _time <now()-7*86400
0 Karma
Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...