I am on Splunk 8.2.12.
I am trying to get a distinct count of incidents that have happened in each month, year to date. I'd like to compare that to the year prior.
I feel like this should be pretty easy, but my results aren't showing the current year in comparison to the previous year.
This shows the current year data (2024)
(earliest=-1@y@y AND latest=now())
| eval date_month=strftime(_time, "%mon")
| eval date_year = strftime(_time, "%Y")
| timechart span=1mon dc(RMI_MastIncNumb) as "# of Incidents"
When I add | timewrap 1year series=exact time_format=%Y it ends up just showing me 2023
Thank you @bowesmana .
With the Time Selector set to Year to date, and not using the earliest command | timechart span=1mon count Results in 2024 as expected.
Then using the following, I end up with a timeline of 2024, but the data claiming it's 2023. But is for sure 2024 data, labeled as 2023.
| timechart span=1mon count
| timewrap 1y series=exact time_format=%Y
The reason why it's naming the series 2023 is that the current month is now November 2024, so it's wrapping by 12 months, so the first series is Dec 2023->Nov-2024 - even though you are only searching for data in the current year, the timewrap command will work out the series name based on your timewrap span of 1y.
If you made the search with earliest=@y latest=+y@y, which is searching from 2024-01-01 to 2024-12-31 it will label the series correctly as 2024.
So, it's just a function of timewrap. You can see this more clearly if you set your time_format to include the month, i.e. time_format=%Y-%m - then you will get
and if you change your series=exact to relative, you will see it's 'latest_year', which means a 12 month period.
Hope this helps
