Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to dynamically exclude a value for a day in a graph if the day is incomplete?

HattrickNZ
Motivator
‎12-14-2016 12:14 PM

If I have a search for using earliest and latest, say 1st of Dec 16 to 1st Feb 2017, this will draw a graph.
But if I look at the graph today Dec 15th of 2016, the graph will look fine up until Dec 15th 2016 as this date will be incomplete, so the graph will show a drop on this date.

Is there a way to dynamically not include this incomplete date?

Example of my search
... earliest=1480503600 latest=1485860400...

One way is to change the value of that cell for that day(change it to '' or 0, whichever works), but as I said above I am looking for a dynamic way of doing this 

## change value of a column
eval tcheck=strptime("2016-12-15","%F") |
eval "Column Name"=if(_time==tcheck,'','Column Name') |

graph showing the incomplete day value in the graph that I want to remove

Preview file
1 KB
0 Karma
Reply

lguinn2
Legend
‎12-14-2016 03:38 PM

First, is there a reason that you have to specify the search timerange in epoch time?
It is much easier to use relative time notation:

earliest=-14d@d latest=@d

Note the use of "@d", which means "snap to." By specifying latest as "@d", I am saying "at the beginning of today" - or midnight.
Using this notation means that I will never retrieve data for a partial day. The relative time modifiers are discussed in the Search Manual" under Time Modifiers.

While it is most efficient to simply eliminate unwanted events in the base search, you can also eliminate "partial time bins" in the timechart command. For example:

| timechart partial=f span=1d count by status

will eliminate any partial days from the timechart. Note that this eliminates partial days at both ends of the time range.

0 Karma
Reply

HattrickNZ
Motivator
‎12-14-2016 04:01 PM

tks, I cannot use the relative time notation earliest=-14d@d latest=@d if I want to achieve these set/fixed dates 1st of Dec 16 to 1st Feb 2017, every day the graph is viewed, or maybe I am mistaken.

I tried partial=f but that did not seem to make a difference. The value for the incomplete day is still there.

Given this method that I mentioned above:

eval tcheck=strptime("2016-12-15","%F") |
eval "Column Name"=if(_time==tcheck,'','Column Name') |

If I could somehow make this 2016-12-15 a dynamic variable that always evaluates to the current date when view the graph, then this way I could remove the value for the incomplete day. Which is what I want

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...