Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Time value shenanigans

elloyd4
Explorer
‎04-21-2021 01:18 PM

When I run this filter, I want splunk to give me a count per day based on the Month, day, and year of value  sys_created_on instead of any ticket that may have been touched that day, but created on another day. What am I doing wrong!?  I'm teaching myself and have at least made it this far. 

I just want to get a count per day for the sys_created_on value. I tell it to give me per day values in the time picker and it give me incidents that were not created on that day. 

 

 

 

SEARCH
| dedup dv_number
| table sys_created_on dv_number dv_u_username_id assignment_group_name dv_assigned_to dv_u_workstation_ci dv_cmdb_ci dv_u_location_1 description dv_close_notes u_last_3_worknotes dv_close_notes
| rename sys_created_on AS "Created On", dv_number AS "Incident Number", dv_u_username_id AS "Username", assignment_group_name AS "Assignment Group", dv_assigned_to AS "Assigned to", dv_u_workstation_ci AS "Workstation ID", dv_cmdb_ci AS "CI" dv_u_location_1 AS "Location", description AS "Description", dv_close_notes AS "Closing Notes", u_last_3_worknotes AS "Last 3 Work Notes", dv_close_notes AS "Closing Notes"
| sort by "Incident Number" desc

 

 

 



Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-21-2021 01:33 PM

The time picker looks only at the _time field, not sys_created_on or any other.  Any filtering on other time fields has to be done manually.  If sys_created_on is in epoch (integer) form then this may help.

SEARCH
| dedup dv_number
| addinfo
| where (sys_created_on >= info_min_time AND sys_created_on <= info_max_time
| table sys_created_on dv_number dv_u_username_id assignment_group_name dv_assigned_to dv_u_workstation_ci dv_cmdb_ci dv_u_location_1 description dv_close_notes u_last_3_worknotes dv_close_notes
| rename sys_created_on AS "Created On", dv_number AS "Incident Number", dv_u_username_id AS "Username", assignment_group_name AS "Assignment Group", dv_assigned_to AS "Assigned to", dv_u_workstation_ci AS "Workstation ID", dv_cmdb_ci AS "CI" dv_u_location_1 AS "Location", description AS "Description", dv_close_notes AS "Closing Notes", u_last_3_worknotes AS "Last 3 Work Notes", dv_close_notes AS "Closing Notes"
| sort by "Incident Number" desc

If sys_created_on is a text field ("04/21/2021", for example) then it must be converted to an integer using the strptime function.  That's left as a exercise for the reader.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...