Solved: Re: Timewrap showing incorrect week labels

msmapper · ‎06-17-2016

Hi there,

I just started to use Timewrap and I am having an issue with the displayed week label. I am trying to show the time chart for today and the same day last week only. In date terms, I want to only show June 17 (today) and June 10 (last Friday).

My search is:

data=device earliest=-2w  | timechart count span=1h | where strftime(_time, "%A") == strftime(now(),"%A") | timewrap w  series=exact|

When the search completes, the chart line labels read the week of June 10 and the week of June 03. There isn't a label for the week of June 17th (which is today). Also, how do I change the exact label to be the Day, not the "week of"

All help is appreciated
Regards

msmapper · ‎06-20-2016

Hi there,

I think this is the answer i was looking for and it doesn't use Timewrap.

data=device latest=now earliest=@d |stats sum(total_amount) AS Today  by device_type | appendcols [search  latest=-7d@m earliest=-7d@d|stats sum(total_amount) AS Last_Week by device_type ]

This allows me to compare to the exact same Today to Last week, to the Minute. I just couldn't get to the level I wanted with Timewrap at this time. It's a great command, but I think I just need to experiment with it more.

Regards

View solution in original post

msmapper · ‎06-20-2016

Hi there,

I think this is the answer i was looking for and it doesn't use Timewrap.

data=device latest=now earliest=@d |stats sum(total_amount) AS Today  by device_type | appendcols [search  latest=-7d@m earliest=-7d@d|stats sum(total_amount) AS Last_Week by device_type ]

This allows me to compare to the exact same Today to Last week, to the Minute. I just couldn't get to the level I wanted with Timewrap at this time. It's a great command, but I think I just need to experiment with it more.

Regards

Raghav2384 · ‎06-20-2016

That will work very well...I thought you wanted to achieve the search using time wrap:)

If time wrap is not a mandate, you can try this which is also faster when need to look for longer range comparisons

http://blogs.splunk.com/2012/02/19/compare-two-time-ranges-in-one-report/

Thanks,
Raghav

Raghav2384 · ‎06-17-2016

Hey There,

Can you try this?

data=device  earliest=-14d@d  | timechart count span=1d | where strftime(_time, "%A") == strftime(now(),"%A") | timewrap d series=exact|

if you use earliest=w, the least data point Splunk picks is a week. Since you need at a day level, try using -14d or -15d instead.

Hope this helps

Thanks,
Raghav

msmapper · ‎06-20-2016

Hi Raghav2384,

the timewrap d definitely gives me that date that i was looking for but it still give me data for Yesterday (june 19) and last week (june 13).

What i am trying to show is always the Current Day and the Same Day the previous week. I don't want Yesterday and Yesterday's same day the previous week. I have tried

data=device earliest=-14d@d

Any ideas on how to show Today in timewrap?

regards
Jen

and still get Yesterday as the

Raghav2384 · ‎06-20-2016

Hey,

Try this:

index=_internal earliest=-13d latest=now  | timechart count span=1d| where strftime(_time, "%A") == strftime(now(),"%A") | timewrap d series=relative|rename latest_day as today_thisweek|rename 7days_before as today_previousweek

Hope this helps!

Thanks,
Raghav

Change it as per your need...You can also rename the two data points

Timewrap showing incorrect week labels

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?