Splunk Search

How to search events from selected month?

naty
Path Finder

Hi,

i have a search that displays its result in a table in the following format:

Time Value
MM-YYYY HHHH
MM-YYYY HHHH
MM-YYYY HHHH
MM-YYYY HHHH

i want to make a drilldown so that when i click on one of the times, it would do a search on that month.

for example:
12-2016 1.12547

i click on the "12-2016" and i want to make a search that earliest=1st Dec 2016, latest=31st Dec 2016.

i can extract the month and the year from the clicked cell using substr, but the problem is that Splunk stores the months by name, so i have to convert "12" to "December" which costs me an eval.
this is how i extract the month and the year - eval temp=substr("12-2016",1,2),month=strftime(temp,"%B"),year=substr("12-2016",4,7)

this is my search:
index=myind source=mysrc | eval temp=substr("12-2016",1,2),month=strftime(temp,"%B"),year=substr("12-2016",4,7) | WHERE date_month==month AND date_year==year | do some more stuff...

Thank you for your help!!

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Assuming you're already setup a token say $selectedmonth$ based on the clicked month, we can set the time range of your drilldown search for whole of that month, something like this

index=myind source=mysrc [| gentimes start=-1 | eval earliest=relative_time(strptime("01-$selectedmonth$","%d-%m-%Y") | eval latest=relative_time(earliest,"+1mon") | table earliest latest ] | do some more stuff...
0 Karma

naty
Path Finder

Hi, thank you for your help.
i do have this token that it's value is in this syntax: MM-YYYY so it should work perfectly.
however, i have added these lines to my search but it has an error.

this is my search:
index=myind source=mysrc NOT DATETIME (PORT_NAME="P1" OR PORT_NAME="P2" OR PORT_NAME="P3" and some more ports) [|gentimes start=-1 | eval earliest=relative_time(strptime("01-12-2016","%d-%m-%Y"),"-1mon"), latest=relative_time(earliest,"+1mon") | table earliest latest ] | timechart span=1h avg(field) by PORT_NAME | addtotals row=true fieldname=rate |eval rate=rate/1024 | sort rate desc | eval Time=strftime(_time,"%d-%m-%Y") | table Time,rate

i get this error:
Error in 'search' command: Unable to parse the search: 'AND' operator is missing a clause on the left hand side

now i don't have an AND operator, but i assume it has something to do with these 2 added lines.
what correction should i make for the search to work?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Yeah... I've seem this issue when you try to pass two or more values from the subsearch (doesn't come consistently). You just need to add | format "" "" "" "" "" "" at the end of the subsearch. like this

 index=myind source=mysrc [| gentimes start=-1 | eval earliest=relative_time(strptime("01-$selectedmonth$","%d-%m-%Y") | eval latest=relative_time(earliest,"+1mon") | table earliest latest | format "" "" "" "" "" "" ] | do some more stuff...
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...