Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Timechart and Timewrap

scottmkirkland
Explorer
‎11-13-2024 04:46 PM

I am on Splunk 8.2.12.

I am trying to get a distinct count of incidents that have happened in each month, year to date. I'd like to compare that to the year prior. 

I feel like this should be pretty easy, but my results aren't showing the current year in comparison to the previous year.

This shows the current year data (2024)

(earliest=-1@y@y AND latest=now())
| eval date_month=strftime(_time, "%mon")
| eval date_year = strftime(_time, "%Y")
| timechart span=1mon dc(RMI_MastIncNumb) as "# of Incidents"

When I add | timewrap 1year series=exact time_format=%Y it ends up just showing me 2023

scottmkirkland_0-1731545180061.png

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎11-14-2024 02:57 PM

The reason why it's naming the series 2023 is that the current month is now November 2024, so it's wrapping by 12 months, so the first series is Dec 2023->Nov-2024 - even though you are only searching for data in the current year, the timewrap command will work out the series name based on your timewrap span of 1y

If you made the search with earliest=@y latest=+y@y, which is searching from 2024-01-01 to 2024-12-31 it will label the series correctly as 2024.

So, it's just a function of timewrap. You can see this more clearly if you set your time_format to include the month, i.e. time_format=%Y-%m - then you will get

bowesmana_0-1731624965075.png

and if you change your series=exact to relative, you will see it's 'latest_year', which means a 12 month period.

Hope this helps

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

scottmkirkland
Explorer
‎11-14-2024 09:38 AM

Thank you @bowesmana .

With the Time Selector set to Year to date, and not using the earliest command | timechart span=1mon count Results in 2024 as expected.

Then using the following, I end up with a timeline of 2024, but the data claiming it's 2023. But is for sure 2024 data, labeled as 2023.

| timechart span=1mon count
| timewrap 1y series=exact time_format=%Y

scottmkirkland_0-1731605640119.png

 

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎11-14-2024 02:57 PM

The reason why it's naming the series 2023 is that the current month is now November 2024, so it's wrapping by 12 months, so the first series is Dec 2023->Nov-2024 - even though you are only searching for data in the current year, the timewrap command will work out the series name based on your timewrap span of 1y

If you made the search with earliest=@y latest=+y@y, which is searching from 2024-01-01 to 2024-12-31 it will label the series correctly as 2024.

So, it's just a function of timewrap. You can see this more clearly if you set your time_format to include the month, i.e. time_format=%Y-%m - then you will get

bowesmana_0-1731624965075.png

and if you change your series=exact to relative, you will see it's 'latest_year', which means a 12 month period.

Hope this helps

 

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎11-13-2024 07:47 PM

Your earliest= statement is wrong, it should be earliest=-1y@y

You have an extra @ sign (-1@y@y)

0 Karma
Reply
Get Updates on the Splunk Community!

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Community Content Calendar, October Edition

Welcome to the October edition of our Community Spotlight! The Splunk Community is a treasure trove of ...