Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Converting Date to first day of the week

raysonjoberts
Path Finder
‎06-20-2024 12:50 PM

I am analyzing some .csvs which have a "date" field present. The .csvs are indexed, but the index time is pretty irrelevant, however, the "date" field is important.

I am trying to create a new field which would represent the first day of the week relative to the "date" field in my data. Ultimately I am going to create some charts over time which will use this new field. Below is an example of my desired outcome - from the date present as a field in the .csv, create a new field (Summary Date) which shows the date of Monday for that week.

Date (present in .csv)Summary Date  (new field)
6/15/20246/10/2024
6/16/20246/10/2024
6/18/20246/17/2024

 

* realizing there may be more than one way to skin the cat, ultimately I am looking to group results by week in Line Charts. The query will be very basic, something like this:

<base search>
| chart sum(results) by "Summary Date"

 

And I want the date shown on the X-axis to be the first day (Monday in my case) of every week. Maybe there is an easier solution than creating a new "Summary Date" field via an eval expression, but that is where my head goes first.
Any suggestions are appreciated!

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎06-20-2024 01:32 PM

There is more than one way to do that.  If you want to create a new field, use eval with relative_time and strptime.

<<base search>>
| eval SummaryDate = relative_time(strptime(Date, "%d/%m/%Y"), "@w+1d")
| chart sum(results) over SummaryDate

Since "@w" snaps to Sunday, we use "+1d" to start the week on Monday.

Here's another way using the bin command.

<<base search>>
| bin _time span=1w
``` Convert _time from Sundays to Mondays ```
| eval SummaryDate = _time+86400
| chart sum(results) over SummaryDate

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎06-20-2024 01:32 PM

There is more than one way to do that.  If you want to create a new field, use eval with relative_time and strptime.

<<base search>>
| eval SummaryDate = relative_time(strptime(Date, "%d/%m/%Y"), "@w+1d")
| chart sum(results) over SummaryDate

Since "@w" snaps to Sunday, we use "+1d" to start the week on Monday.

Here's another way using the bin command.

<<base search>>
| bin _time span=1w
``` Convert _time from Sundays to Mondays ```
| eval SummaryDate = _time+86400
| chart sum(results) over SummaryDate

 

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎06-20-2024 04:10 PM

bin command also needs snap to, i.e.

| bin _time span=1w@w

or 

| bin _time span=1w aligntime=@w+1d

otherwise it just gives you 7 day chunks.

 

Reply
Solved! Jump to solution

raysonjoberts
Path Finder
‎06-20-2024 04:03 PM

Works perfectly, thank you! I was dancing all around it but could not nail it down. That did it for me!

Reply
Get Updates on the Splunk Community!

Buttercup Games Tutorial Extension - part 9

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games Tutorial Extension - part 8

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Introducing the Splunk Developer Program!

Hey Splunk community! We are excited to announce that Splunk is launching the Splunk Developer Program in ...
li.common.scroll-to.top