Splunk Search

Equivalent of '$' of bash in splunk

rishavvaidya
Explorer

Query:

search...| eval earliest=relative_time(strptime("01-February 2017","%d-%B %Y"),"+0mon"), latest=relative_time(earliest,"+1mon")|eventstats first(earliest) as earliest first(latest) as latest |makecontinuous d span=1d start=earliest end=latest | chart .....

This thing gives an error indicating it is not accepting earliest and latest field values.
How can I pass the values of earliest and latest here to makecontinuous

Tags (1)
0 Karma
1 Solution

rishavvaidya
Explorer

I found a better way to make my chart continuous. It can be done by chart using span=1d and plotting it against _time.

View solution in original post

0 Karma

rishavvaidya
Explorer

I found a better way to make my chart continuous. It can be done by chart using span=1d and plotting it against _time.

0 Karma

niketn
Legend

@rishavvaidya, can you please explain how you are getting earliest value to your search? Do you have time picker input or is it some default times selected for search?

latest=relative_time(earliest,"+1mon")

Also is "01-February 2017" a fixed date for earliest?

Please clarify what you are trying to do ans what dashboard elements you currently have because from the description so far seems like there might be a better way create the search rather than what you are attempting.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

rishavvaidya
Explorer

@niketn

Thanks

Below is the original query that I am using...

index="idx" |eval d=replace(strptime(update,"%Y-%m-%d"),".\d+","")|eval date=strftime(d,"%B %Y")|where like(date,"February 2017%")|chart count as Count by d |makecontinuous d span=1d |fillnull|eval date=strftime(d,"%Y-%m-%d") | chart values(Count) as Count by date

here I am using "update" field as time field. And month I will get dynamically by passing token from the dropdowns.
My idea is to get the count of events on every day of the month . Even if the day has no event it should give it 0.

I'm using makecontinuous to do that but the issue with this is that it makes the dates continuous only from the first non zero event it finds.
Like if the first non zero event it find is on 3rd of month then it will make the days continuous from that day leaving 1st and 2nd day.

So I wanted to use start and end attributes of makecontinuous to make it forcibly start from first day of month. But they only take epoch values. So I tried to pass these values via fields with the below query in between. But it doesn't work. Tell me if there is any other way I can make my data continuous.

eval earliest=relative_time(strptime("01-February 2017","%d-%B %Y"),"+0mon"), latest=relative_time(earliest,"+1mon")|eventstats first(earliest) as earliest first(latest) as latest |makecontinuous d span=1d start=earliest end=latest


0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...