Deployment Architecture
Highlighted

Change the day from where the week starts in bucket.

Explorer

I am running this query in splunk which aggregates and bucketizes the data on a weekly basis , based on the field "impact_start" and gives me the output. But the problem is that the start of the week in the output is Thursday rather than Monday.
Is there any way i can change the start of the week to Monday instead of Thursday?

search index=* impact=1 OR impact=2 product_line=* | eval time = round( strptime(impact_start,"%Y-%m-%d %H:%M:%S"), 0 )| where time >= 1473328728 AND time<=1476352728| bucket time span=7d | stats values(number) as incident_name by time
0 Karma
Highlighted

Re: Change the day from where the week starts in bucket.

Contributor

I think this answer may point you in the right direction

Dave

0 Karma
Highlighted

Re: Change the day from where the week starts in bucket.

Legend

See if this works

search index=* impact=1 OR impact=2 product_line=* 
| eval time = round( strptime(impact_start,"%Y-%m-%d %H:%M:%S"), 0 ) 
| where time >= 1473328728 AND time<=1476352728 
| evenstats earliest(_time) as e
| eval time=if(e=_time AND _time>relative_time(_time, "-@w1"), mvrange(relative_time(_time, "-@w1"), _time), _time)
| mvexpand time
| fillnull number
| bucket time span=7d 
| stats values(number) as incident_name by time
0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.