All Apps and Add-ons

How to compare data for specified absolute dates using the Timewrap command?

rajxkhanna
Engager

I am looking for an example to compare data for specific weeks using the timewrap command

For example, I would like to compare data from:

Monday, May 25th 00:00:01 to Sunday May 30th 23:59:00 (1 week)

with

Monday, June 15th to Sunday, June 20th.

This must be a common usage, but still couldn't find an example of providing absolute dates.

I could just do |timewrap w, but I don't want to pull data for all weeks, but only for the ones that are of interest to me. Also, I want Monday to Sunday and not relative weeks from the current day.

Tags (1)
1 Solution

Richfez
SplunkTrust
SplunkTrust

It seems you have two issues.

The first problem is that you'd like to snap your time frames to weeks properly, regardless of when in the week you currently are. This can likely be handled with relative time modifiers and chained relative time modifiers. More info here on those, but the following very simple example search of my own may get you started:

sourcetype="WinEventLog:Security" earliest=-4w@w latest=-1w@w 
| timechart count by ComputerName 
| timewrap w

Shows a 3 week range ( earliest=-4w and latest=-1w ), snapping to Sunday-Saturday (the @w part). Again, following the docs linked above you can chain the dates/times and do all sorts of interesting things.

The second problem is to get rid of some weeks. So solve this, add some extra parameters to your timewrap, then remove a few things.

sourcetype="WinEventLog:Security" earliest=-9w@w+1d latest=-5w 
| timechart count by ComputerName 
| timewrap w series=short 
| table _time *_s0 *_s2

The first and second lines are unchanged.
The third line, the timewrap, added a series=short to make the names easier to manipulate. This is covered in the timewrap docs.
Keep in mind that when you do timewrap, it creates, in this case of doing so for a three week period, field_s0, field_s1, field_s2 for each data series, and that brings us to our last line which displays only fields ending in s0 and s2 (thereby skipping s1).

Now, I don't know exactly how you would use those tools to get your precise answer, but I think these two methods should get you in the ballpark.

View solution in original post

caili
Path Finder

I don't understand your question exactly because my English is poor, and I'm not sure the query below can help you.

YourSearch earliest="05/25/2015 00:00:00" latest="05/30/2015 23:59:59" | eval weeknum="first week" | append [search YourSearch earliest="06/15/2015 00:00:00" latest="06/20/2015 23:59:59" | eval weeknum="second week" ] | timechart count by weeknum

In the query ,I do not use timewrap command

Hope it's useful to you~~

0 Karma

Richfez
SplunkTrust
SplunkTrust

It seems you have two issues.

The first problem is that you'd like to snap your time frames to weeks properly, regardless of when in the week you currently are. This can likely be handled with relative time modifiers and chained relative time modifiers. More info here on those, but the following very simple example search of my own may get you started:

sourcetype="WinEventLog:Security" earliest=-4w@w latest=-1w@w 
| timechart count by ComputerName 
| timewrap w

Shows a 3 week range ( earliest=-4w and latest=-1w ), snapping to Sunday-Saturday (the @w part). Again, following the docs linked above you can chain the dates/times and do all sorts of interesting things.

The second problem is to get rid of some weeks. So solve this, add some extra parameters to your timewrap, then remove a few things.

sourcetype="WinEventLog:Security" earliest=-9w@w+1d latest=-5w 
| timechart count by ComputerName 
| timewrap w series=short 
| table _time *_s0 *_s2

The first and second lines are unchanged.
The third line, the timewrap, added a series=short to make the names easier to manipulate. This is covered in the timewrap docs.
Keep in mind that when you do timewrap, it creates, in this case of doing so for a three week period, field_s0, field_s1, field_s2 for each data series, and that brings us to our last line which displays only fields ending in s0 and s2 (thereby skipping s1).

Now, I don't know exactly how you would use those tools to get your precise answer, but I think these two methods should get you in the ballpark.

rajxkhanna
Engager

Thanks for sharing how to use series=short I ended up using a combination of your solution and the "append" command to get to the desired results. I should mention that *_s0 *_s1 start with the latest time; for example, if you're comparing two weeks in the past, the latest week will be the one represented by s0.

Richfez
SplunkTrust
SplunkTrust

Ah, yes, thank you for reminding me, BTW and for clarifying that for future searchers!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...