Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to include "month to date" timeline in the search query while creating dashboard.

manjushan
Explorer
‎09-06-2012 03:04 PM

I want to create a dashboard with the current months' log data report. I could select this (other->month to date) in the timeline while querying, to get the results. But how do I add it to the search as an option , so I can save it in the dashboard. So that users get to see that month's data each time they view the dashboard.

Also When I included the option -30d@mon with the search query (as below), I did not get any results in the table format, even though there is data in the logs. But if I select using time line (without giving the option -30d@mon in the search query), I get the result in the table format.

This is the search query I gave:

source="/flocal/logs/tomcat-6.0.18/lawyers/search-mapping.log" searchTerm PAMapped | eval Legal_Issue=urldecode(searchTerm) | eval Practice_Area=if(isnull(PAMapped),"Not Mapped",urldecode(PAMapped)) | search Legal_Issue="Securities Law" -30d@mon

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

narwhal
Splunk Employee
Splunk Employee
‎09-06-2012 04:00 PM

ah, yes, latest is assumed to be NOW, so you need to fix that. for last month, try:

"earliest=1mon@mon latest=0mon@mon"

View solution in original post

Reply
Solved! Jump to solution

manjushan
Explorer
‎09-07-2012 11:20 AM

Thanks so much ! This worked

0 Karma
Reply
Solved! Jump to solution

narwhal
Splunk Employee
Splunk Employee
‎09-07-2012 10:24 AM

If that answered your question, be sure to accept the best response so others see it and know it worked for you 🙂

0 Karma
Reply
Solved! Jump to solution
Solution

narwhal
Splunk Employee
Splunk Employee
‎09-06-2012 04:00 PM

ah, yes, latest is assumed to be NOW, so you need to fix that. for last month, try:

"earliest=1mon@mon latest=0mon@mon"
Reply
Solved! Jump to solution

manjushan
Explorer
‎09-06-2012 03:57 PM

Thanks I do see results now. The current months works (earliest=-0mon@mon ). Thanks:) !

But When I give for last month (earliest=-1mon@mon ) I get last months and this months.

16 events over all time (from 12:00:00.000 AM August 1 to 3:56:43.822 PM September 6, 2012)

In the timeline I selected(all time) for both queries.

Reply
Solved! Jump to solution

narwhal
Splunk Employee
Splunk Employee
‎09-06-2012 03:52 PM

for THIS month, try this:

source="/flocal/logs/tomcat-6.0.18/lawyers/search-mapping.log" searchTerm PAMapped earliest=-0mon@mon | eval Legal_Issue=urldecode(searchTerm) | eval Practice_Area=if(isnull(PAMapped),"Not Mapped",urldecode(PAMapped)) | search Legal_Issue="Securities Law"

for LAST month, try this:

source="/flocal/logs/tomcat-6.0.18/lawyers/search-mapping.log" searchTerm PAMapped earliest=-1mon@mon latest=-0mon@mon | eval Legal_Issue=urldecode(searchTerm) | eval Practice_Area=if(isnull(PAMapped),"Not Mapped",urldecode(PAMapped)) | search Legal_Issue="Securities Law"
Reply
Solved! Jump to solution

manjushan
Explorer
‎09-06-2012 03:47 PM

When I give "earliest", I get an error saying "Search operation earliest is unknown. You might not have permission to run this operation"

This is the query :

source="/flocal/logs/tomcat-6.0.18/lawyers/search-mapping.log" searchTerm PAMapped | eval Legal_Issue=urldecode(searchTerm) | eval Practice_Area=if(isnull(PAMapped),"Not Mapped",urldecode(PAMapped)) | top limit=10000 Legal_Issue Practice_Area | earliest=-1mon@mon

0 Karma
Reply
Solved! Jump to solution

narwhal
Splunk Employee
Splunk Employee
‎09-06-2012 03:43 PM

Shouldn't your -30d@mon be: earliest=-0mon@mon ??? (for THIS month -- ie, since Sept 1)

Or earliest=-1mon@mon for LAST month (ie, Aug 1 to Aug 31)

Or am I missing your goal?

oh, related point-- why not put the "earliest=..." in the first search not the last one?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...