Solved: Splunk last 7 days within current month?

splunkreal · ‎07-05-2016

Hello,

I'm using dd/mm/yyyy date format and results are not correctly sorted if we are dealing with data across months.

I've tried https://answers.splunk.com/answers/215005/sorting-date-1.html but it doesn't work. The only right way is to use %Y/%m/%d

Otherwise, is it possible to limit the results to the current month?

Snapshot attached.

Thanks.

* If this helps, please upvote or accept solution if it solved *

sundareshr · ‎07-05-2016

Try this instead

index=* | rex ... | rex ... | where ... | timechart span=1d count as visits | eval Date=strftime(_time, "%d/%m/%Y") | fields - _time

And if you only want first 7, you can either filter the data to return only the days you want or add head 7 OR tail 7 to the end

sundareshr · ‎07-05-2016

Try this instead

index=* | rex ... | rex ... | where ... | timechart span=1d count as visits | eval Date=strftime(_time, "%d/%m/%Y") | fields - _time

And if you only want first 7, you can either filter the data to return only the days you want or add head 7 OR tail 7 to the end

splunkreal · ‎07-06-2016

Thanks, it works with timechart.

* If this helps, please upvote or accept solution if it solved *

ddrillic · ‎07-05-2016

You should sort by _time and not by the alphanumeric date field.

Splunk last 7 days within current month?