Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why does the date filtering only displays information from the first day of the week (Monday)?

taha13
Explorer
‎03-12-2018 12:03 PM

Hello,
I have a little problem with the filtering date, I need a way to filter my dashboard so as to have the informations about the last week always starting on the first day of the week Monday even if we're wednesday,
For example :
If its Wednesday ; it's displays informations from the last Monday until Wednesay .

Thank you for your help .

0 Karma
Reply

niketn
Legend
‎03-13-2018 03:43 AM

@taha13, you must first read and understand Time Modifiers and Snap To syntax from Splunk Documentation: https://docs.splunk.com/Documentation/Splunk/latest/Search/Specifytimemodifiersinyoursearch

Please try the following run anywhere dashboard. Based on the current week day it sets the following two time ranges:

  • If current Week Day is Mon, Tue or
    Wed    , it sets the earliest time as
    -1w@w1 or Previous Week @ Monday
    and latest time as -0w@w or Current
    Week @ Sunday    .

  • Else if the current Week Day is Thu,
    Fri, Sat or Sun    , it sets the
    earliest time as -1w@w1 or
    Previous Week @ Monday and latest
    time as -0w@w3 or Current Week @
    Wednesday    .

In order to test various weekdays, replace the following search pipe | eval WeekDay=strftime(_time,"%a") with your specific weekday for example | eval WeekDay ="Wed" or | eval WeekDay ="Thu" etc.

<form>
  <label>Earliest and Latest Time based on current day</label>
  <search>
    <query>
       | makeresults
       | eval WeekDay=strftime(_time,"%a")
       | eval Hour=strftime(_time,"%H")
       | eval Time=case(WeekDay in ("Mon","Tue","Wed"),"earliest=-1w@w1 latest=-0w@w",true(),"earliest=-1w@w1 latest=-0w@w3") 
       | table _time WeekDay Hour Time
     </query>
    <progress>
      <set token="queryTimeRange">$result.Time$</set>
      <set token="tokWeekDay">$result.WeekDay$</set>
    </progress>
  </search>
  <fieldset submitButton="false"></fieldset>
  <row>
    <panel>
      <table>
        <title>Today's Week Day: $tokWeekDay$ - Time Range: $queryTimeRange$</title>
        <search>
          <query>index=_internal sourcetype=splunkd log_level="ERROR" $queryTimeRange$
   | stats count as Errors
   | addinfo
   | fieldformat info_min_time=strftime(info_min_time,"%c")
   | fieldformat info_max_time=strftime(info_max_time,"%c")
   | fieldformat info_search_time=strftime(info_search_time,"%c")
   | table Errors info_min_time info_max_time info_search_time
         </query>
        </search>
      </table>
    </panel>
  </row>
</form>

Please try out and confirm.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

taha13
Explorer
‎03-13-2018 05:35 AM

Tnak you for your answer @niketnilay

But,can you just tell me where should i put this query in my code

 <condition label="Semaine précédente">
          <set token="earliest1_token">$value$</set>
          <set token="earliest_token">$value$</set>
          <set token="latest_token">-0w@w</set>
          <set token="time_token">true</set>

---------------------

<row>
    <panel>
      <single>
        <title>Nombre de clients éligibles au Tchat</title>
        <search>
          <query>|loadjob savedsearch=":ied:$loadjob_token_job$"
            |search $media_token$ $chatOrigin_token$

            |eval date_time = strftime(_time,"%Y-%m-%d") 
              | eval earliest_time_relative=relative_time(now(),"$earliest_token$")
                | eval earliest_time = strftime(earliest_time_relative,"%Y-%m-%d")

                | eval earliest1_time_relative=relative_time(now(),"$earliest1_token$")
                | eval earliest1_time = strftime(earliest1_time_relative,"%Y-%m-%d")

                | eval latest_time_relative=relative_time(now(),"$latest_token$")
                | eval latest_time = strftime(latest_time_relative,"%Y-%m-%d")

                | eval date = strftime(_time,"%Y-%m-%d")
                | where date == "$time_token$" OR (date_time &gt;= earliest1_time AND latest_time &gt;= date_time) OR date_time&gt;= earliest_time

              |stats dc(eval(if((isEligible_lo=1), client, NULL))) AS Nombre_clients_éligibles_au_Tchat BY _time,media,chatOrigin
                | stats SUM(Nombre_clients_éligibles_au_Tchat) AS snb
        | fields snb</query>
        </search>
        <option name="useThousandSeparators">0</option>
      </single>
    </panel>
<row>
0 Karma
Reply

niketn
Legend
‎03-14-2018 03:54 AM

Before I can assist further, have you tested above Run Anywhere dashboard of mine? Does it set the earliest and latest time as per expectations? And have you understood how that dashboard is working?

Following run anywhere search can be the first line of your dashboard, may be after <label> and <description>

 <query>
    | makeresults
    | eval WeekDay=strftime(_time,"%a")
    | eval Hour=strftime(_time,"%H")
    | eval Time=case(WeekDay in ("Mon","Tue","Wed"),"earliest=-1w@w1 latest=-0w@w",true(),"earliest=-1w@w1 latest=-0w@w3") 
    | table _time WeekDay Hour Time
  </query>
 <progress>
   <set token="queryTimeRange">$result.Time$</set>
 </progress>

Then use $queryTimeRange$ in your base search for the queries that should pick up the earliest and latest time as per your question.

In your dashboard example seems like you are loading the result of a saved search, which might have already run. Maybe you can have two saved searches instead and set the token for their saved search names instead.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply

niketn
Legend
‎04-04-2018 05:55 AM

@taha13, is your issue resolved? Please accept the answer if it is to mark this question as answered!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

bangalorep
Communicator
‎03-13-2018 02:54 AM

Hello!
You can try using 

earliest=-1w

for exactly seven days. So if you check on Wednesday 12 p.m. it will show you from the previous wednesday 12 p.m.

or

earliest=-1w@d

For the entire day. So if you check on Wednesday - irrespective of the time, it will show you the results of the whole day.

Here's the documentation, for you to understand this better
https://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/SearchTimeModifiers

0 Karma
Reply

taha13
Explorer
‎03-13-2018 05:37 AM

my question is : if i check n wednesday,it will show me the result from monday of the last week

0 Karma
Reply

niketn
Legend
‎03-12-2018 12:49 PM

@taha13, can you check the following answer on similar lines?https://answers.splunk.com/answers/527234/making-same-query-run-for-different-times.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

taha13
Explorer
‎03-13-2018 01:49 AM

@niketnilay thank you for your answer,i chacked the answer ,but since i am new to develop on splunk, i do not really see the relation between my problem and this one

0 Karma
Reply

somesoni2
Revered Legend
‎03-12-2018 12:41 PM

Whats the time range you're using?

0 Karma
Reply

taha13
Explorer
‎03-12-2018 12:48 PM

i don't really know, i just start using splunk
For the last week, i have earliest_time:-1w@w latest_time:-0d@d

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...