topic Re: Why is time chart with span of 1w always Thursday to Thursday? in Splunk Search

Why is time chart with span of 1w always Thursday to Thursday?

mumblingsages — Fri, 11 Aug 2017 20:24:13 GMT

Title pretty much says it all. Every time I go to run a time chart with a span of 1 week it runs from Thursday to Thursday. Is there a specific reason for this? I have a work around for it in most situations (one exception right now being counts by event types), but my gosh its annoying.

Is there a setting somewhere to control this behavior?

Re: Why is time chart with span of 1w always Thursday to Thursday?

DalJeanis — Tue, 29 Sep 2020 15:21:04 GMT

TL:DR;

...or you could do this to also start on a Sunday. (use "@w1" for Monday, "@w2" for Tuesday etc)

 | eval _time = relative_time(_time,"@w")

That's somewhat inconsistent, relative to the "@w" convention.

First, in a normal search, bin appears to use info_min_time to determine what day of the week is the first. That factor seems to affect even searches based on gentimes.

However, if you append something else, the bin for the something else is not necessarily the same, even if the _bin appears in the search after the various appends have occurred.

Second, because the first day in the universe (1/1/1970) was a Thursday, this formula will always become a Thursday. That appears to affect certain kinds of created data.

  | eval _time=604800*floor(_time/604800)

If you want a different day, then do this, where 4 is the number of days earlier in the week you want to move. Four days before Thursday is Sunday, so this will bin the weeks starting on Sunday.

 | eval _time = -4*86400+604800*floor((_time+4*86400)/604800)

...or you could do this to also start on a Sunday. (use "@w1" for Monday, "@w2" for Tuesday etc)

 | eval _time = relative_time(_time,"@w")

... and here's a run-anywhere snippet that you can play with to check what works and what doesn't...

| gentimes start=05/31/16 end=8/1/16 
| eval _time =starttime
| eval time1=strftime(_time,"%Y-%m-%d %a")
| eval time2=strftime(relative_time(_time,"@w"),"%Y-%m-%d %a") 
| bin _time span=1w as time3
| eval time3=strftime(time3,"%Y-%m-%d %a")
| eval _time = -4*86400+604800*floor((_time+4*86400)/604800) 
| stats values(time1) as time1 values(time2) as time2 values(time3) as time3 count by _time 
| eval showtime=strftime(_time,"%Y-%m-%d %a")|

Re: Why is time chart with span of 1w always Thursday to Thursday?

woodcock — Fri, 11 Aug 2017 20:58:21 GMT

One of these 2 links should give you what you need:
https://answers.splunk.com/answers/5350/possible-to-redefine-w-to-start-on-different-day.html
https://answers.splunk.com/answers/208499/how-to-group-events-per-weeknumber.html

In your case, I think all that you need to do is add the correct w# value to your span=1w (e.g. span=1w@w0 ); see what this does when run for Last 7 days:

index=_*
| multireport [
| bin span=1w@w0 _time
| eval DATASET="w0"
| stats count BY _time DATASET
][
| bin span=1w@w3 _time
| eval DATASET="w1"
| stats count BY _time DATASET
]

Re: Why is time chart with span of 1w always Thursday to Thursday?

mumblingsages — Sat, 12 Aug 2017 01:26:24 GMT

Thanks both of you. I had been doing the eval relative time thing. But strangely enough , timechart with a span=1w@w0 is now giving me exactly what I wanted. I swear I've tried this before an it never worked but now is...

Re: Why is time chart with span of 1w always Thursday to Thursday?

woodcock — Sat, 12 Aug 2017 02:17:17 GMT

Try it again tomorrow!

Re: Why is time chart with span of 1w always Thursday to Thursday?

woodcock — Fri, 15 Mar 2019 13:59:45 GMT

OK, so come back here and either post your own answer or click Accept on an existing one to close the question. Maybe UpVote around, too.