Splunk Search

time span query

PaulaCom
Path Finder

Hi All 

I'd like some help please with a query thats been asked of me and its a little out of my depth 

the current below query shows year total of helpdesk calls by year 

PaulaCom_0-1690188777402.png

 

index=mmuh_helpdesk sourcetype=mmuh_helpdesk_json
| dedup id
| fillnull value=NULL
| search "problemtype.detailDisplayName"!=*AGRESSO*
| eval problem_detail='problemtype.detailDisplayName'
| eval problem_detail=replace(problem_detail, "&#8226","")
| eval problem_detail=replace(problem_detail, ";","|")
| eval techGroupLevel = 'techGroupLevel.levelName'
| eval techGroupLevel = replace(techGroupLevel, " "," ")
| eval techGroupLevel = replace(techGroupLevel, " ","")
| eval techGroupLevel = replace(techGroupLevel, "Level"," Level")
| eval location_Name = 'location.locationName'
| eval status = 'statustype.statusTypeName'
| eval priority = 'prioritytype.priorityTypeName'
| eval techGroupId = 'techGroupLevel.id'
| eval tech_Name = 'clientTech.displayName'
| top limit=20 date_year
| search date_year IN(2020,2021,2022,2023)
| eval sort=case(date_year=="2020", "02", date_year=="2021","03", date_year=="2022","04", date_year=="2023","05")
| sort sort
| fields - sort
| fields - percent
| eval Year=case(date_year=="2020", "Y 2020", date_year=="2021", "Y 2021", date_year=="2022", "Y 2022", date_year=="2023", "Y 2023")
| table Year count

i would now like to show years only 2021 and 2022 in line chart 

but ... i would like each year to have a separate line 

if possible i'd like the time span for each year to be broken into a month 

i can get this with the time picker (previous year chosen) and following query below for 2022

index=mmuh_helpdesk sourcetype=mmuh_helpdesk_json
| dedup id
| fillnull value=NULL
| search "problemtype.detailDisplayName"!=*AGRESSO*
| eval problem_detail='problemtype.detailDisplayName'
| eval problem_detail=replace(problem_detail, "&#8226","")
| eval problem_detail=replace(problem_detail, ";","|")
| eval techGroupLevel = 'techGroupLevel.levelName'
| eval techGroupLevel = replace(techGroupLevel, " "," ")
| eval techGroupLevel = replace(techGroupLevel, " ","")
| eval techGroupLevel = replace(techGroupLevel, "Level"," Level")
| eval location_Name = 'location.locationName'
| eval status = 'statustype.statusTypeName'
| eval priority = 'prioritytype.priorityTypeName'
| eval techGroupId = 'techGroupLevel.id'
| eval tech_Name = 'clientTech.displayName'
| timechart span=1mon count(id)

PaulaCom_1-1690189256677.png

 

 how can i get both years show ?

thank you 

🙂 

 

 

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Try without span=

| timewrap 1y

View solution in original post

PaulaCom
Path Finder

thank you that worked 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

I updated my response accordingly.

0 Karma

PaulaCom
Path Finder

i get an error message with that 

Error in 'timewrap' command: Option 'span=1y' is invalid.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try without span=

| timewrap 1y

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

 

index=mmuh_helpdesk sourcetype=mmuh_helpdesk_json earliest=-2y@y latest=@y
| dedup id
| fillnull value=NULL
| search "problemtype.detailDisplayName"!=*AGRESSO*
| eval problem_detail='problemtype.detailDisplayName'
| eval problem_detail=replace(problem_detail, "&#8226","")
| eval problem_detail=replace(problem_detail, ";","|")
| eval techGroupLevel = 'techGroupLevel.levelName'
| eval techGroupLevel = replace(techGroupLevel, " "," ")
| eval techGroupLevel = replace(techGroupLevel, " ","")
| eval techGroupLevel = replace(techGroupLevel, "Level"," Level")
| eval location_Name = 'location.locationName'
| eval status = 'statustype.statusTypeName'
| eval priority = 'prioritytype.priorityTypeName'
| eval techGroupId = 'techGroupLevel.id'
| eval tech_Name = 'clientTech.displayName'
| timechart span=1mon count(id)
| timewrap 1y

 

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk Observability Cloud – June 2025

What’s New in Splunk Observability Cloud – June 2025 We are excited to announce the latest enhancements to ...

Almost Too Eventful Assurance: Part 2

Work While You SleepBefore you can rely on any autonomous remediation measures, you need to close the loop ...

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

 Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research Team (STRT) and ...