How to skip the weekends in the timechart or a cha...

sambit_kabi · ‎06-29-2020

I have a search query which yields a timechart . I want to show just the weekdays and skip the weekends in the charting of data using timechart.

I have used the clause | eval day_of_week = strftime(_time,"%A")
| where NOT (day_of_week="Saturday" OR day_of_week="Sunday")
| fields - day_of_week in my query before and after the timechart.

The data doesn't have the weekend information whereas when this is charted using the timechart I always get the weekends on my x-axis.

Any idea how to solve it?

cpm003 · ‎06-29-2020

Hello!

Try in this order

[...]

| where NOT date_wday in ("Saturday","Sunday")
| eval day_of_week = strftime(_time,"%A")

[...]

sambit_kabi · ‎06-30-2020

Hi , thanks for the reply. I had tried the same with the clause before and after the chart command. It didn't work for me in either case.

However the following worked for me. I am not not sure though why it worked and what is Splunk's behavior when I used strftime.

| eval date=strftime(_time,"%d-%b-%y %H:%M:%S %a")
| chart limit=0 useother=false count as Volume by date,Description

to4kawa · ‎06-30-2020

sample:

| tstats count where index=_internal earliest=0 by _time span=1d
| eval weekday=if(strftime(_time,"%w") = "0" OR strftime(_time,"%w") = "6",1,0)
| where weekday=0
| eval weekday=strftime(_time,"%a")

reference:https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Commontimeformatvariables

How to skip the weekends in the timechart or a chart?

chart

timechart

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR

Are you a member of the Splunk Community?