Deployment Architecture

Change the day from where the week starts in bucket.

Explorer

I am running this query in splunk which aggregates and bucketizes the data on a weekly basis , based on the field "impact_start" and gives me the output. But the problem is that the start of the week in the output is Thursday rather than Monday.
Is there any way i can change the start of the week to Monday instead of Thursday?

search index=* impact=1 OR impact=2 product_line=* | eval time = round( strptime(impact_start,"%Y-%m-%d %H:%M:%S"), 0 )| where time >= 1473328728 AND time<=1476352728| bucket time span=7d | stats values(number) as incident_name by time
0 Karma

Legend

See if this works

search index=* impact=1 OR impact=2 product_line=* 
| eval time = round( strptime(impact_start,"%Y-%m-%d %H:%M:%S"), 0 ) 
| where time >= 1473328728 AND time<=1476352728 
| evenstats earliest(_time) as e
| eval time=if(e=_time AND _time>relative_time(_time, "-@w1"), mvrange(relative_time(_time, "-@w1"), _time), _time)
| mvexpand time
| fillnull number
| bucket time span=7d 
| stats values(number) as incident_name by time
0 Karma

Contributor

I think this answer may point you in the right direction

Dave

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!