I want to design a new timechart dashboard panel based on a specific search over exact 1 Month (or 30 days)
My search looks like:
sourcetype=”XXX” | timechart count by attack_type
I want the x – axis be formatted like 01.12.15 – 31.12.15 not matter if I got logs > to create a monthly pdf of my dashboard
Similar like this: https://answers.splunk.com/storage/temp/51200-missingdata-20150811.jpg
How can I do this?
If you want the timeranges to be in cluded in your search, you can use the now()
feature to calculate the needed start and end dates.
If your report shall reflect the current month, you can use a search string as follows:
sourcetype="xxx" earliest="@mon" latest="+1mon@mon"
| timechart span=1d count by attack_time
Same would go for the last month:
sourcetype="xxx" earliest="1-mon@mon" latest="@mon"
| timechart span=1d count by attack_time
sourcetype="xxx" earliest="@mon" latest="+1mon@mon"
| timechart span=1d count by attack_time
shows also the range from 05.Nov-12.Nov >> I don´t understand this
Set the timrangepicker to select the period/month you want to look at (Date Range -> Between -> select the dates)
Or use the advanced options in the timerange picker:
To see the current month set earliest=-1mon@mon latest=@mon
To see the previous month set earliest=@mon latest=now
sourcetype="xxx"
| timechart span=1d count by attack_time
earliest=-1mon@mon latest=now >> shows 01-12.Nov.
But after a few seconds the range from 05.11-12.11 >> I don´t understand this
Is there any event with a timestamp <5.11?
Yes I got a few events in Oktober but none in November <05.11
You are searching the range 1.11 - 31.11, and there is no value to show for 1.11 - 4.11. That's why you don't see values here