Solved: How to include "month to date" timeline in the sea...

manjushan · ‎09-06-2012

I want to create a dashboard with the current months' log data report. I could select this (other->month to date) in the timeline while querying, to get the results. But how do I add it to the search as an option , so I can save it in the dashboard. So that users get to see that month's data each time they view the dashboard.

Also When I included the option -30d@mon with the search query (as below), I did not get any results in the table format, even though there is data in the logs. But if I select using time line (without giving the option -30d@mon in the search query), I get the result in the table format.

This is the search query I gave:

source="/flocal/logs/tomcat-6.0.18/lawyers/search-mapping.log" searchTerm PAMapped | eval Legal_Issue=urldecode(searchTerm) | eval Practice_Area=if(isnull(PAMapped),"Not Mapped",urldecode(PAMapped)) | search Legal_Issue="Securities Law" -30d@mon

narwhal · ‎09-06-2012

ah, yes, latest is assumed to be NOW, so you need to fix that. for last month, try:

"earliest=1mon@mon latest=0mon@mon"

View solution in original post

manjushan · ‎09-07-2012

Thanks so much ! This worked

narwhal · ‎09-07-2012

If that answered your question, be sure to accept the best response so others see it and know it worked for you 🙂

narwhal · ‎09-06-2012

ah, yes, latest is assumed to be NOW, so you need to fix that. for last month, try:

"earliest=1mon@mon latest=0mon@mon"

manjushan · ‎09-06-2012

Thanks I do see results now. The current months works (earliest=-0mon@mon ). Thanks:) !

But When I give for last month (earliest=-1mon@mon ) I get last months and this months.

16 events over all time (from 12:00:00.000 AM August 1 to 3:56:43.822 PM September 6, 2012)

In the timeline I selected(all time) for both queries.

narwhal · ‎09-06-2012

for THIS month, try this:

source="/flocal/logs/tomcat-6.0.18/lawyers/search-mapping.log" searchTerm PAMapped earliest=-0mon@mon | eval Legal_Issue=urldecode(searchTerm) | eval Practice_Area=if(isnull(PAMapped),"Not Mapped",urldecode(PAMapped)) | search Legal_Issue="Securities Law"

for LAST month, try this:

source="/flocal/logs/tomcat-6.0.18/lawyers/search-mapping.log" searchTerm PAMapped earliest=-1mon@mon latest=-0mon@mon | eval Legal_Issue=urldecode(searchTerm) | eval Practice_Area=if(isnull(PAMapped),"Not Mapped",urldecode(PAMapped)) | search Legal_Issue="Securities Law"

manjushan · ‎09-06-2012

When I give "earliest", I get an error saying "Search operation earliest is unknown. You might not have permission to run this operation"

This is the query :

source="/flocal/logs/tomcat-6.0.18/lawyers/search-mapping.log" searchTerm PAMapped | eval Legal_Issue=urldecode(searchTerm) | eval Practice_Area=if(isnull(PAMapped),"Not Mapped",urldecode(PAMapped)) | top limit=10000 Legal_Issue Practice_Area | earliest=-1mon@mon

narwhal · ‎09-06-2012

Shouldn't your -30d@mon be: earliest=-0mon@mon ??? (for THIS month -- ie, since Sept 1)

Or earliest=-1mon@mon for LAST month (ie, Aug 1 to Aug 31)

Or am I missing your goal?

oh, related point-- why not put the "earliest=..." in the first search not the last one?

How to include "month to date" timeline in the search query while creating dashboard.

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!