Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Change the day from where the week starts in bucket.

tikoonikhil
Explorer
‎10-13-2016 03:10 AM

I am running this query in splunk which aggregates and bucketizes the data on a weekly basis , based on the field "impact_start" and gives me the output. But the problem is that the start of the week in the output is Thursday rather than Monday.
Is there any way i can change the start of the week to Monday instead of Thursday?

search index=* impact=1 OR impact=2 product_line=* | eval time = round( strptime(impact_start,"%Y-%m-%d %H:%M:%S"), 0 )| where time >= 1473328728 AND time<=1476352728| bucket time span=7d | stats values(number) as incident_name by time
0 Karma
Reply

sundareshr
Legend
‎10-13-2016 04:30 AM

See if this works

search index=* impact=1 OR impact=2 product_line=* 
| eval time = round( strptime(impact_start,"%Y-%m-%d %H:%M:%S"), 0 ) 
| where time >= 1473328728 AND time<=1476352728 
| evenstats earliest(_time) as e
| eval time=if(e=_time AND _time>relative_time(_time, "-@w1"), mvrange(relative_time(_time, "-@w1"), _time), _time)
| mvexpand time
| fillnull number
| bucket time span=7d 
| stats values(number) as incident_name by time
0 Karma
Reply

davebrooking
Contributor
‎10-13-2016 04:15 AM

I think this answer may point you in the right direction

Dave

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...