topic My weekly timespan shows bins that are more than week boundaries in Splunk Search

My weekly timespan shows bins that are more than week boundaries

tambepc — Sun, 03 Jul 2016 13:29:26 GMT

I have set up an accelerated summary for a report with summary range of 1 month. I want to report summary by week. When I run a search with "timechart bins=4 span=1week...", I get 4 to 5 bins: one per week. But then I also get some other bins with days in addition to weekly bins in my search results. I don't want to get individual days that are outside the week boundaries. I never want to see data summarized by any granularity lower than a week. Do I need to change my acceleration setup or my timechart command in the search?

Splunk doc says to let them figure out the correct timespan. But I feel that they are summarizing at too low of a granular level (10min, 1hr). Regardless, I want the timechart command to show correct results with proper weekly bins.

What is wrong here?

Here is how my summary detail looks:

Details Learn more. Summarization Load 0.0000 Access Count 0 Last Access: Never Size on Disk 7.83MB Summary Range 30 days Timespans 10min, 1d, 1h, 1mon Buckets 506 Chunks 1002

Re: My weekly timespan shows bins that are more than week boundaries

martin_mueller — Sun, 03 Jul 2016 13:55:31 GMT

Do post the entire search you're running, over what time range, and what results you're getting in the statistics tab.

Re: My weekly timespan shows bins that are more than week boundaries

woodcock — Mon, 04 Jul 2016 14:59:21 GMT

Do the bucketing yourself, like this, just before your timechart command:

... |  eval _time = case((tonumber(strftime(_time, "%d")) <= 7),  "1",
                         (tonumber(strftime(_time, "%d")) <= 14), "2",
                         (tonumber(strftime(_time, "%d")) <= 21), "3",
                         (tonumber(strftime(_time, "%d")) <= 28), "4",
                                                          true(), "5")

Re: My weekly timespan shows bins that are more than week boundaries

tambepc — Wed, 06 Jul 2016 15:10:40 GMT

Thank you @woodcock. This worked. I further modified it as follows to snap _time to the beginning of the week (Sunday):

| eval _time = strftime(relative_time(_time, "-0w@w"),"%Y-%m-%d")
| stats count as events by _time

Although, I am somewhat disappointed that timechart is not working as expected with its "span" and "bins" options. Anyway, thank you very much for your help!!