how to display last 4 weeks data from now in a sea...

rijinc · ‎08-01-2017

THis is my query i want to display a time chart where it should display the last 4week ( week by week) in a time chart which should display from now -last 4weeks

here is my query

index="@@$" | eval _time = Planned | where _time < relative_time(now(), "-4w@w") | timechart span=4w sum(Count) as Count

here Planned is a date field assume its converted into epochtime already

how to display the chart where the planned date should fetch only (- 4weeks - till now)

Please let me know if its possible
Awaiting for your response

cmerriman · ‎08-01-2017

if Planned is already in Epoch

index="@@$" | where Planned > relative_time(now(), "-4w@w")  | eval _time = Planned| timechart span=1w sum(Count) as Count

your sign was saying that you wanted to grab data BEFORE four weeks ago, not AFTER four weeks ago. You could eval _time=Planned before your where statement, but if it's already in epoch, it shouldn't matter. Also, I changed the timechart to span 1 week at a time, instead of the 4 weeks in the original statement.

niketn · ‎08-01-2017

I think chart can be used directly with Planned as x-axis to skip eval to assign Planned as _time value.

 index="@@$" 
| where Planned > relative_time(now(), "-4w@w")
| chart span=1w sum(Count) as Count over Planned
| fieldformat Planned=strftime(Planned,"%Y/%m/%d")

Final fieldformat is to display Planned time as String Time while retaining value as epoch.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

DalJeanis · ‎08-01-2017

your comparison operator is backward - you would be getting events earlier than -4w rather than later than that.

rijinc · ‎08-01-2017

i need to show the count of planned dates which should give me the dates from the last for weeks from today date . Hence i was assuming it as "-4w"

DalJeanis · ‎08-01-2017

@rijinc - There's nothing wrong with that part, it's the comparison operator - you are only getting events BEFORE that date.

gcusello · ‎08-01-2017

Hi
Try something like this

index="@@$" earliest=-4w@w latest=now
| timechart span=1w count

Bye.
Giuseppe

rijinc · ‎08-01-2017

Hi cusello

I know this works
but as i am using a date field (Planned) this needs to fetch - 4 weeks from now

gcusello · ‎08-01-2017

ok, try

index="@@$" earliest=-4w latest=now
 | timechart span=1w count

Bye.
Giuseppe

cmerriman · ‎08-01-2017

what format is Planned in? Epoch? "mm/dd/YYYY HH:SS:MM"?

rijinc · ‎08-01-2017

Yes its in Epoch Format "dd/mm/YYYY HH:SS:MM"

sbbadri · ‎08-01-2017

@rijinc
index="@@$" | eval _time = Planned | eval _time=strftime(_time,"%Y-%m-%d") | timechart span=4w sum(count) as Coun

cmerriman · ‎08-01-2017

just to add a comment quick that if you need to snap to a specific day of the week, you can do that too.
@w is Sunday
@w1 is Monday
@w2 is Tuedasy
etc.
if you just want to go to 4 weeks ago from now, just write earliest=-4w

how to display last 4 weeks data from now in a search query

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!