https://community.splunk.com/t5/Splunk-Search/Detect-Start-of-Week-Weekly-aggregations/m-p/454750#M168185 <P>One way I figured out how to do this is using: </P> <PRE><CODE>| eval Week = strftime(strptime(_time, "%Y-%m-%d %H:%M:%S.%N"), "%V") </CODE></PRE> <P><STRONG>strptime</STRONG> converts the _time [formatted in "%Y-%m-%d %H:%M:%S.%N"] to Unix epoch time. Then <STRONG>strftime</STRONG> extracts the week of year from the epoch time using "<STRONG>%V</STRONG>"</P> <P>The variable <STRONG>%V</STRONG> is not mentioned in the <A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Commontimeformatvariables">documentation</A>. </P> <P>However, how do I declare custom weeks, if the business requirements are as such? </P> Wed, 25 Jul 2018 03:25:07 GMT anirbandasdeb 2018-07-25T03:25:07Z https://community.splunk.com/t5/Splunk-Search/Detect-Start-of-Week-Weekly-aggregations/m-p/454749#M168184 <P>Hello splunkers, </P> <P>We have to calculate some KPIs, on time-series data, aggregated by multiple factors, with time being the most important one. <BR /> The most common time aggregations for us are monthly and weekly. </P> <P><STRONG>Scenario:</STRONG> Calculate the weekly trend of a KPI for the month of May 2018 [ref image attached]</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/5411iEEDF346ABB20F58A/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>How one would normally do it would be [assume week start on Sunday]: <BR /> <STRONG>Week Date</STRONG><BR /> <STRONG>1:</STRONG> 1 - 5<BR /> <STRONG>2:</STRONG> 6 - 12<BR /> <STRONG>3:</STRONG> 13 - 19<BR /> <STRONG>4:</STRONG> 20 - 26<BR /> <STRONG>5:</STRONG> 27 - 31</P> <P>Thus there will be 5 data points. </P> <P><STRONG>How do I implement this in Splunk?</STRONG> </P> <P>The way I figured out to do it now is use "<STRONG>bin span=1w _time</STRONG>", but it does not detect the <EM>week start</EM>. <BR /> However, this approach plainly takes 7 days from the 1st of the month and the result is that we have skewed weeks leading to misleading KPI values. </P> Tue, 24 Jul 2018 08:02:52 GMT https://community.splunk.com/t5/Splunk-Search/Detect-Start-of-Week-Weekly-aggregations/m-p/454749#M168184 anirbandasdeb 2018-07-24T08:02:52Z https://community.splunk.com/t5/Splunk-Search/Detect-Start-of-Week-Weekly-aggregations/m-p/454750#M168185 <P>One way I figured out how to do this is using: </P> <PRE><CODE>| eval Week = strftime(strptime(_time, "%Y-%m-%d %H:%M:%S.%N"), "%V") </CODE></PRE> <P><STRONG>strptime</STRONG> converts the _time [formatted in "%Y-%m-%d %H:%M:%S.%N"] to Unix epoch time. Then <STRONG>strftime</STRONG> extracts the week of year from the epoch time using "<STRONG>%V</STRONG>"</P> <P>The variable <STRONG>%V</STRONG> is not mentioned in the <A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Commontimeformatvariables">documentation</A>. </P> <P>However, how do I declare custom weeks, if the business requirements are as such? </P> Wed, 25 Jul 2018 03:25:07 GMT https://community.splunk.com/t5/Splunk-Search/Detect-Start-of-Week-Weekly-aggregations/m-p/454750#M168185 anirbandasdeb 2018-07-25T03:25:07Z