All Apps and Add-ons

Timewrap showing incorrect week labels

msmapper
Path Finder

Hi there,

I just started to use Timewrap and I am having an issue with the displayed week label. I am trying to show the time chart for today and the same day last week only. In date terms, I want to only show June 17 (today) and June 10 (last Friday).

My search is:

data=device earliest=-2w  | timechart count span=1h | where strftime(_time, "%A") == strftime(now(),"%A") | timewrap w  series=exact|

When the search completes, the chart line labels read the week of June 10 and the week of June 03. There isn't a label for the week of June 17th (which is today). Also, how do I change the exact label to be the Day, not the "week of"
alt text

All help is appreciated
Regards

0 Karma
1 Solution

msmapper
Path Finder

Hi there,

I think this is the answer i was looking for and it doesn't use Timewrap.

data=device latest=now earliest=@d |stats sum(total_amount) AS Today  by device_type | appendcols [search  latest=-7d@m earliest=-7d@d|stats sum(total_amount) AS Last_Week by device_type ]

This allows me to compare to the exact same Today to Last week, to the Minute. I just couldn't get to the level I wanted with Timewrap at this time. It's a great command, but I think I just need to experiment with it more.

Regards

View solution in original post

0 Karma

msmapper
Path Finder

Hi there,

I think this is the answer i was looking for and it doesn't use Timewrap.

data=device latest=now earliest=@d |stats sum(total_amount) AS Today  by device_type | appendcols [search  latest=-7d@m earliest=-7d@d|stats sum(total_amount) AS Last_Week by device_type ]

This allows me to compare to the exact same Today to Last week, to the Minute. I just couldn't get to the level I wanted with Timewrap at this time. It's a great command, but I think I just need to experiment with it more.

Regards

0 Karma

Raghav2384
Motivator

That will work very well...I thought you wanted to achieve the search using time wrap:)

If time wrap is not a mandate, you can try this which is also faster when need to look for longer range comparisons

http://blogs.splunk.com/2012/02/19/compare-two-time-ranges-in-one-report/

Thanks,
Raghav

0 Karma

Raghav2384
Motivator

Hey There,

Can you try this?

data=device  earliest=-14d@d  | timechart count span=1d | where strftime(_time, "%A") == strftime(now(),"%A") | timewrap d series=exact|

if you use earliest=w, the least data point Splunk picks is a week. Since you need at a day level, try using -14d or -15d instead.

Hope this helps

Thanks,
Raghav

0 Karma

msmapper
Path Finder

Hi Raghav2384,

the timewrap d definitely gives me that date that i was looking for but it still give me data for Yesterday (june 19) and last week (june 13).

What i am trying to show is always the Current Day and the Same Day the previous week. I don't want Yesterday and Yesterday's same day the previous week. I have tried

data=device earliest=-14d@d

Any ideas on how to show Today in timewrap?

regards
Jen

and still get Yesterday as the

0 Karma

Raghav2384
Motivator

Hey,

Try this:

index=_internal earliest=-13d latest=now  | timechart count span=1d| where strftime(_time, "%A") == strftime(now(),"%A") | timewrap d series=relative|rename latest_day as today_thisweek|rename 7days_before as today_previousweek

Hope this helps!

Thanks,
Raghav

Change it as per your need...You can also rename the two data points

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...