Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Iam trying to get data from "30-Oct-23" but its starting from "23-Oct-23".Could anyone please suggest change in my query

krishna1
Explorer
‎11-05-2023 10:47 PM

| eval lastmodifiedWeek=strftime(epoc_last_modified,"%Y-%V")

|eval timeline="30-Oct-23"
| eval timeline_date=strptime(timeline,"%d-%b-%y")
|eval new_timeline=strftime(timeline_date,"%Y-%V")
|where lastmodifiedWeek<=new_timeline
|join max=0 type=left current_ticket_state [|inputlookup weekly_status_state_mapping.csv|rename Status as current_ticket_state|table current_ticket_state Lookup]

| stats count by Lookup lastmodifiedWeek
| eval timeline1 = strptime(lastmodifiedWeek." 1", "%Y-%U %w")
| eval timeline2=relative_time(timeline1,"-1w@w1")
| eval timeline = strftime(timeline2, "%Y-%m-%d")
| table timeline , Lookup count
|chart values(count) as count over timeline by Lookup |fillnull value=0 |tail 4 |reverse



krishna1_0-1699252995057.png

 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

FelixLeh
Contributor
‎11-06-2023 01:26 AM

If you want to see only data that is before the 30th the following line does not make sense:

 

| eval timeline2=relative_time(timeline1,"-1w@w1")

 

The data is correct but since you reduce the timeline date by 1 week it shows 23rd October instead of 30th.. 
Its purely visual though. The data does not change because of this command since you are not filtering against the time of the events after the change.
Just remove this line and the data should be correct

Additionally I'd suggest using the same time conversion.
Converting weeks with %V starts at count 1 while doing it with %U starts at 0. You are using both in the same Query.

 

| eval lastmodifiedWeek=strftime(epoc_last_modified,"%Y-%U")

|eval timeline="30-Oct-23"
| eval timeline_date=strptime(timeline,"%d-%b-%y")
|eval new_timeline=strftime(timeline_date,"%Y-%U")
|where lastmodifiedWeek<=new_timeline

| stats count by Lookup lastmodifiedWeek
| eval timeline1 = strptime(lastmodifiedWeek." 1", "%Y-%U %w")
| eval timeline = strftime(timeline1, "%Y-%m-%d")
| table timeline , Lookup count
|chart values(count) as count over timeline by Lookup |fillnull value=0 |tail 4 |reverse

 

If I missundestood you and you want the data that comes after the 30th then you'd additionally have to change the "where" line to the following:

 

|where lastmodifiedWeek>=new_timeline

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

FelixLeh
Contributor
‎11-06-2023 01:26 AM

If you want to see only data that is before the 30th the following line does not make sense:

 

| eval timeline2=relative_time(timeline1,"-1w@w1")

 

The data is correct but since you reduce the timeline date by 1 week it shows 23rd October instead of 30th.. 
Its purely visual though. The data does not change because of this command since you are not filtering against the time of the events after the change.
Just remove this line and the data should be correct

Additionally I'd suggest using the same time conversion.
Converting weeks with %V starts at count 1 while doing it with %U starts at 0. You are using both in the same Query.

 

| eval lastmodifiedWeek=strftime(epoc_last_modified,"%Y-%U")

|eval timeline="30-Oct-23"
| eval timeline_date=strptime(timeline,"%d-%b-%y")
|eval new_timeline=strftime(timeline_date,"%Y-%U")
|where lastmodifiedWeek<=new_timeline

| stats count by Lookup lastmodifiedWeek
| eval timeline1 = strptime(lastmodifiedWeek." 1", "%Y-%U %w")
| eval timeline = strftime(timeline1, "%Y-%m-%d")
| table timeline , Lookup count
|chart values(count) as count over timeline by Lookup |fillnull value=0 |tail 4 |reverse

 

If I missundestood you and you want the data that comes after the 30th then you'd additionally have to change the "where" line to the following:

 

|where lastmodifiedWeek>=new_timeline

 

0 Karma
Reply
Solved! Jump to solution

krishna1
Explorer
‎11-08-2023 03:16 AM

Thanks, Its working

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-06-2023 01:21 AM

Your where command is excluding events which are earlier than 30-Oct-23, which is why you are seeing no data from then.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...