topic Re: How to group daily results by week more close together? in Splunk Search

How to group daily results by week more close together?

KalebeRS — Wed, 19 Jul 2023 07:19:36 GMT

Hello,

I have this search for a chart that counts values weekly and divides then by day of the week.

Is there any option that I can do to show this graph a little more compact grouping the results daily in showing just the week like the screenshots examples?

Re: How to group daily results by week more close together?

gcusello — Tue, 18 Jul 2023 14:08:30 GMT

Hi @KalebeRS ,

let me understand: you have a chart with data divided by week/day and you want to aggregate data by week, is it correct?

if this is your requirement, you can extract the week number and use it for charting:

Ciao.

Giuseppe

Re: How to group daily results by week more close together?

KalebeRS — Tue, 18 Jul 2023 14:23:35 GMT

Not exactly, I just need to rearenge the values by week day into smaller groups, like in the screenshot. Still showing the values by week dividing by day, but in a compact form.

Re: How to group daily results by week more close together?

gcusello — Tue, 18 Jul 2023 14:28:32 GMT

Hi @KalebeRS,

it's possible if you have only one valye in the chart command,

otherwise, it runs, but it isn't so readable.

please try this:

index="" host= sourcetype=csv [search index="" host= sourcetype=csv source=C:\\CW28_2.csv | dedup source | table source | sort - source | head 1 ] | table iswID, iswTitle, iswSD, pverID, pverSF | where iswSD >= strftime(relative_time(now(), "-3w@w"),"%Y-%m-%d") | eval Week_Number=strftime(strptime(iswSD,"%Y-%m-%d"),"%V") | eval Week_Number_Day=strftime(strptime(iswSD,"%Y-%m-%d"),"%V %A") | eval ISWGT=if(iswSD>pverSF, 1,0) | eval ISWLE=if(iswSD<=pverSF, 1,0) | eval non_mapped=case(match(pverID, ""), "match") | chart sum(ISWGT), sum(ISWLE), count(non_mapped) as "Non Mapped" OVER Week_Number_Day BY Week_Number

Ciao.

Giuseppe