https://community.splunk.com/t5/Splunk-Search/Summarize-date-per-week/m-p/697468#M236934 <P>Yup. That is one of ways to handle it. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>&nbsp;</P> Tue, 27 Aug 2024 13:34:13 GMT PickleRick 2024-08-27T13:34:13Z https://community.splunk.com/t5/Splunk-Search/Summarize-date-per-week/m-p/697428#M236922 <P>Good day,<BR /><BR />I have a query to summarize data per week. Is there a way to display my tables in a better way as my dates for the path month would just be the dates in number format?&nbsp;<BR /><BR />I would like to name the table Week 1, Week 2, Week 3 etc if possible.<BR /><BR />index=db_it_network sourcetype=pan* url_domain="<A href="http://www.perplexity.ai" target="_blank">www.perplexity.ai</A>" OR app=claude-base OR app=google-gemini* OR app=openai* OR app=bing-ai-base<BR />| eval app=if(url_domain="<A href="http://www.perplexity.ai" target="_blank">www.perplexity.ai</A>", url_domain, app)<BR />| table user, app, _time<BR />| stats count by user app _time<BR />| chart count by app _time span=1w<BR />| sort app 0<BR /><BR /><BR /></P> Tue, 27 Aug 2024 09:02:32 GMT https://community.splunk.com/t5/Splunk-Search/Summarize-date-per-week/m-p/697428#M236922 JandrevdM 2024-08-27T09:02:32Z https://community.splunk.com/t5/Splunk-Search/Summarize-date-per-week/m-p/697435#M236924 <LI-CODE lang="markup">index=db_it_network sourcetype=pan* url_domain="www.perplexity.ai" OR app=claude-base OR app=google-gemini* OR app=openai* OR app=bing-ai-base | eval app=if(url_domain="www.perplexity.ai", url_domain, app) | table user, app, _time | eval week_num = "Week Number" . strftime(_time, "%U") | stats count by user app week_num | chart count by app week_num | sort app 0</LI-CODE> Tue, 27 Aug 2024 13:41:21 GMT https://community.splunk.com/t5/Splunk-Search/Summarize-date-per-week/m-p/697435#M236924 JandrevdM 2024-08-27T13:41:21Z https://community.splunk.com/t5/Splunk-Search/Summarize-date-per-week/m-p/697444#M236925 <P>1. Don't put the "table" command in that place.&nbsp; It doesn't do anything useful and (in distributed setup) moves the processing to the SH layer effectively losing the advantage of parallel stats processing on indexers.</P><P>2. I can't quite grasp what's the point of that <EM>| stats | chart</EM> idea. First you count, then you count the counts.</P><P>3. There is a <EM>timechart</EM> command for time series.</P><P>4. The overal idea with <EM>eval</EM> is OK but I'd rather use <EM>fieldformat</EM> - this way you can freely sort based on actual underlying time data but present the data in a human-readable way.</P> Tue, 27 Aug 2024 11:31:44 GMT https://community.splunk.com/t5/Splunk-Search/Summarize-date-per-week/m-p/697444#M236925 PickleRick 2024-08-27T11:31:44Z https://community.splunk.com/t5/Splunk-Search/Summarize-date-per-week/m-p/697458#M236928 <P class="lia-align-left">Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/231884">@PickleRick</a>&nbsp;<BR /><BR />Thanks for the support.<BR /><BR />The reason for the&nbsp;<EM>| stats | chart&nbsp;</EM>is to distinct my data by user. If I do not do this then I get multiple entries per user for each url. This allows for a user to only hit one url per week and then count them.&nbsp;<BR /><BR />I will try the suggestion. I recently moved from kql to spl and will try and figure out the format for timechart and fieldformat.<BR /><BR />Thank you!</P> Tue, 27 Aug 2024 12:27:23 GMT https://community.splunk.com/t5/Splunk-Search/Summarize-date-per-week/m-p/697458#M236928 JandrevdM 2024-08-27T12:27:23Z https://community.splunk.com/t5/Splunk-Search/Summarize-date-per-week/m-p/697468#M236934 <P>Yup. That is one of ways to handle it. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>&nbsp;</P> Tue, 27 Aug 2024 13:34:13 GMT https://community.splunk.com/t5/Splunk-Search/Summarize-date-per-week/m-p/697468#M236934 PickleRick 2024-08-27T13:34:13Z