Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Search data for All Time but only graph a specified time range

kyule
New Member
‎10-17-2017 11:08 AM

Hello,

I am charting IT help desk tickets and I need to make a chart showing how many tickets are opened and closed every month. The timestamp for _time is the ticket failure_date. To accurately reflect how many tickets are closed per month I need to search "All_Time" so if a ticket were opened in say December 2016 and then closed in March 2017 it'll be captured in the graph.

Now I can get all the data to graph but I would like to only graph select months if possible. Below is the current search I am using:

sourcetype=Current_file
| where STATUS != "DRAFT"
| eval FAILURE_DATE=strptime(FAILURE_DATE, "%m/%d/%Y %H:%M")
| eval CLOSED_DATE=strptime(CLOSED_DATE, "%m/%d/%Y %H:%M")
| eval STATUS=mvappend("Open","Closed")
| mvexpand STATUS
| eval _time=case(STATUS="Open", FAILURE_DATE, STATUS="Closed", CLOSED_DATE)
| timechart span=1mon count by STATUS

0 Karma
Reply

mydog8it
Builder
‎10-17-2017 02:06 PM

I think this will work for you, but you will probably want to change something to make the timechart more interesting...

sourcetype=Current_file
| where STATUS != "DRAFT"
| eval FAILURE_DATE=strptime(FAILURE_DATE, "%m/%d/%Y %H:%M")
| eval CLOSED_DATE=strptime(CLOSED_DATE, "%m/%d/%Y %H:%M")
| eval show_date=strftime(strptime(CLOSED_DATE,"%Y/%m/%d"),"%m")
| eval STATUS=mvappend("Open","Closed")
| mvexpand STATUS
| eval _time=case(STATUS="Open", FAILURE_DATE, STATUS="Closed", CLOSED_DATE, show_date=X)
| timechart span=1mon count by STATUS

Replace the "X" in "show_date=X" with the month you wish to display

0 Karma
Reply

kyule
New Member
‎10-17-2017 04:58 PM

Thank you for the reply Mydog8it, but I am getting the following error when using that:
Error in 'eval' command: The arguments to the 'case' function are invalid.

To clarify when I entered month I used decimals, and then spelled out the month.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-18-2017 05:48 AM

Try this.

... | eval _time=case(STATUS="Open", FAILURE_DATE, STATUS="Closed", CLOSED_DATE, 1==1, show_date=X) | ...
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

kyule
New Member
‎10-18-2017 06:09 AM

Thank you Rich,

Thank you very much for the suggestion, it does get rid of the error I was having with just using "show_date=X", but when I enter a date the search still graphs "All_time" rather than the specified month in "show_date=X". Actually it's rather odd no matter what value I put into "show_date=x" Splunk returns with "All_time" graphed data.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-19-2017 06:14 AM

_time is an integer. The last clause of the case sets _time to "show_date=October", which is not an integer. Try ... | eval _time=case(STATUS="Open", FAILURE_DATE, STATUS="Closed", CLOSED_DATE, 1==1, show_date) | ....

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

kyule
New Member
‎10-20-2017 06:12 AM

Good morning Rich,

I'm still getting data graphed over "All_time". I think I may try and separate the search into an open and a close and then try to join them or appendcols...and re-index the .csv file to use indexed time as the _time rather than Failure_Date.

Thank you for the help.

0 Karma
Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...