Solved: Re: time span query

PaulaCom · ‎07-24-2023

Hi All

I'd like some help please with a query thats been asked of me and its a little out of my depth

the current below query shows year total of helpdesk calls by year

index=mmuh_helpdesk sourcetype=mmuh_helpdesk_json
| dedup id
| fillnull value=NULL
| search "problemtype.detailDisplayName"!=*AGRESSO*
| eval problem_detail='problemtype.detailDisplayName'
| eval problem_detail=replace(problem_detail, "&#8226","")
| eval problem_detail=replace(problem_detail, ";","|")
| eval techGroupLevel = 'techGroupLevel.levelName'
| eval techGroupLevel = replace(techGroupLevel, " "," ")
| eval techGroupLevel = replace(techGroupLevel, " ","")
| eval techGroupLevel = replace(techGroupLevel, "Level"," Level")
| eval location_Name = 'location.locationName'
| eval status = 'statustype.statusTypeName'
| eval priority = 'prioritytype.priorityTypeName'
| eval techGroupId = 'techGroupLevel.id'
| eval tech_Name = 'clientTech.displayName'
| top limit=20 date_year
| search date_year IN(2020,2021,2022,2023)
| eval sort=case(date_year=="2020", "02", date_year=="2021","03", date_year=="2022","04", date_year=="2023","05")
| sort sort
| fields - sort
| fields - percent
| eval Year=case(date_year=="2020", "Y 2020", date_year=="2021", "Y 2021", date_year=="2022", "Y 2022", date_year=="2023", "Y 2023")
| table Year count

i would now like to show years only 2021 and 2022 in line chart

but ... i would like each year to have a separate line

if possible i'd like the time span for each year to be broken into a month

i can get this with the time picker (previous year chosen) and following query below for 2022

index=mmuh_helpdesk sourcetype=mmuh_helpdesk_json
| dedup id
| fillnull value=NULL
| search "problemtype.detailDisplayName"!=*AGRESSO*
| eval problem_detail='problemtype.detailDisplayName'
| eval problem_detail=replace(problem_detail, "&#8226","")
| eval problem_detail=replace(problem_detail, ";","|")
| eval techGroupLevel = 'techGroupLevel.levelName'
| eval techGroupLevel = replace(techGroupLevel, " "," ")
| eval techGroupLevel = replace(techGroupLevel, " ","")
| eval techGroupLevel = replace(techGroupLevel, "Level"," Level")
| eval location_Name = 'location.locationName'
| eval status = 'statustype.statusTypeName'
| eval priority = 'prioritytype.priorityTypeName'
| eval techGroupId = 'techGroupLevel.id'
| eval tech_Name = 'clientTech.displayName'
| timechart span=1mon count(id)

how can i get both years show ?

thank you

🙂

ITWhisperer · ‎07-24-2023

Try without span=

| timewrap 1y

View solution in original post

PaulaCom · ‎07-24-2023

thank you that worked

ITWhisperer · ‎07-24-2023

I updated my response accordingly.

PaulaCom · ‎07-24-2023

i get an error message with that

Error in 'timewrap' command: Option 'span=1y' is invalid.

ITWhisperer · ‎07-24-2023

Try without span=

| timewrap 1y

ITWhisperer · ‎07-24-2023

Try something like this

index=mmuh_helpdesk sourcetype=mmuh_helpdesk_json earliest=-2y@y latest=@y
| dedup id
| fillnull value=NULL
| search "problemtype.detailDisplayName"!=*AGRESSO*
| eval problem_detail='problemtype.detailDisplayName'
| eval problem_detail=replace(problem_detail, "&#8226","")
| eval problem_detail=replace(problem_detail, ";","|")
| eval techGroupLevel = 'techGroupLevel.levelName'
| eval techGroupLevel = replace(techGroupLevel, "&nbsp;"," ")
| eval techGroupLevel = replace(techGroupLevel, " ","")
| eval techGroupLevel = replace(techGroupLevel, "Level"," Level")
| eval location_Name = 'location.locationName'
| eval status = 'statustype.statusTypeName'
| eval priority = 'prioritytype.priorityTypeName'
| eval techGroupId = 'techGroupLevel.id'
| eval tech_Name = 'clientTech.displayName'
| timechart span=1mon count(id)
| timewrap 1y

time span query

timechart

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?