All Apps and Add-ons

Timewrap showing incorrect week labels

msmapper
Path Finder

Hi there,

I just started to use Timewrap and I am having an issue with the displayed week label. I am trying to show the time chart for today and the same day last week only. In date terms, I want to only show June 17 (today) and June 10 (last Friday).

My search is:

data=device earliest=-2w  | timechart count span=1h | where strftime(_time, "%A") == strftime(now(),"%A") | timewrap w  series=exact|

When the search completes, the chart line labels read the week of June 10 and the week of June 03. There isn't a label for the week of June 17th (which is today). Also, how do I change the exact label to be the Day, not the "week of"
alt text

All help is appreciated
Regards

0 Karma
1 Solution

msmapper
Path Finder

Hi there,

I think this is the answer i was looking for and it doesn't use Timewrap.

data=device latest=now earliest=@d |stats sum(total_amount) AS Today  by device_type | appendcols [search  latest=-7d@m earliest=-7d@d|stats sum(total_amount) AS Last_Week by device_type ]

This allows me to compare to the exact same Today to Last week, to the Minute. I just couldn't get to the level I wanted with Timewrap at this time. It's a great command, but I think I just need to experiment with it more.

Regards

View solution in original post

0 Karma

msmapper
Path Finder

Hi there,

I think this is the answer i was looking for and it doesn't use Timewrap.

data=device latest=now earliest=@d |stats sum(total_amount) AS Today  by device_type | appendcols [search  latest=-7d@m earliest=-7d@d|stats sum(total_amount) AS Last_Week by device_type ]

This allows me to compare to the exact same Today to Last week, to the Minute. I just couldn't get to the level I wanted with Timewrap at this time. It's a great command, but I think I just need to experiment with it more.

Regards

0 Karma

Raghav2384
Motivator

That will work very well...I thought you wanted to achieve the search using time wrap:)

If time wrap is not a mandate, you can try this which is also faster when need to look for longer range comparisons

http://blogs.splunk.com/2012/02/19/compare-two-time-ranges-in-one-report/

Thanks,
Raghav

0 Karma

Raghav2384
Motivator

Hey There,

Can you try this?

data=device  earliest=-14d@d  | timechart count span=1d | where strftime(_time, "%A") == strftime(now(),"%A") | timewrap d series=exact|

if you use earliest=w, the least data point Splunk picks is a week. Since you need at a day level, try using -14d or -15d instead.

Hope this helps

Thanks,
Raghav

0 Karma

msmapper
Path Finder

Hi Raghav2384,

the timewrap d definitely gives me that date that i was looking for but it still give me data for Yesterday (june 19) and last week (june 13).

What i am trying to show is always the Current Day and the Same Day the previous week. I don't want Yesterday and Yesterday's same day the previous week. I have tried

data=device earliest=-14d@d

Any ideas on how to show Today in timewrap?

regards
Jen

and still get Yesterday as the

0 Karma

Raghav2384
Motivator

Hey,

Try this:

index=_internal earliest=-13d latest=now  | timechart count span=1d| where strftime(_time, "%A") == strftime(now(),"%A") | timewrap d series=relative|rename latest_day as today_thisweek|rename 7days_before as today_previousweek

Hope this helps!

Thanks,
Raghav

Change it as per your need...You can also rename the two data points

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...