topic Re: How to snap span with bucket in Splunk Search

How to snap span with bucket

aarcro — Tue, 29 May 2012 21:15:05 GMT

So I want use bucket to group my data by weeks that start on Mondays if I change my query to use earliest=-1w@w1 latest=@w1 Then bucket span=week does the right thing. But I'm going to be running a daily (or hourly) summary index, that I want to bucket by weeks including the current week in progress.

Index:

sourcetype="source" | bucket _time span=day | stats count by severity, customer, _time

Search that works for daily counts

search severity > 9 customer="name" | eval Day=strftime(_time, "%Y-%m-%d")|  eval n="count" | xyseries Day, n, count

I need a search that works for weekly counts snapped to mondays.

Re: How to snap span with bucket

lguinn2 — Wed, 30 May 2012 08:08:51 GMT

How does this work for you?

search severity > 9 customer="name" | 
eval Week=relative_time(_time, "@w1") |  
eval n="count" | 
xyseries Week, n, count

Re: How to snap span with bucket

aarcro — Wed, 30 May 2012 14:25:00 GMT

relative_time() - Works perfect! Thanks.

Re: How to snap span with bucket

aarcro — Wed, 30 May 2012 14:49:46 GMT

Actually need to run through stats again to sum(count) by Week

Re: How to snap span with bucket

lguinn2 — Mon, 28 Sep 2020 11:53:30 GMT

search severity > 9 customer="name" |
eval Week=relative_time(_time, "@w1") |

stats count by severity customer Week |
eval n="count" |
xyseries Week, n, count

though I am unclear on why you want count by severity and customer as well as by week...