Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Converting Date to first day of the week

raysonjoberts
Path Finder
‎06-20-2024 12:50 PM

I am analyzing some .csvs which have a "date" field present. The .csvs are indexed, but the index time is pretty irrelevant, however, the "date" field is important.

I am trying to create a new field which would represent the first day of the week relative to the "date" field in my data. Ultimately I am going to create some charts over time which will use this new field. Below is an example of my desired outcome - from the date present as a field in the .csv, create a new field (Summary Date) which shows the date of Monday for that week.

Date (present in .csv)Summary Date  (new field)
6/15/20246/10/2024
6/16/20246/10/2024
6/18/20246/17/2024

 

* realizing there may be more than one way to skin the cat, ultimately I am looking to group results by week in Line Charts. The query will be very basic, something like this:

<base search>
| chart sum(results) by "Summary Date"

 

And I want the date shown on the X-axis to be the first day (Monday in my case) of every week. Maybe there is an easier solution than creating a new "Summary Date" field via an eval expression, but that is where my head goes first.
Any suggestions are appreciated!

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎06-20-2024 01:32 PM

There is more than one way to do that.  If you want to create a new field, use eval with relative_time and strptime.

<<base search>>
| eval SummaryDate = relative_time(strptime(Date, "%d/%m/%Y"), "@w+1d")
| chart sum(results) over SummaryDate

Since "@w" snaps to Sunday, we use "+1d" to start the week on Monday.

Here's another way using the bin command.

<<base search>>
| bin _time span=1w
``` Convert _time from Sundays to Mondays ```
| eval SummaryDate = _time+86400
| chart sum(results) over SummaryDate

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎06-20-2024 01:32 PM

There is more than one way to do that.  If you want to create a new field, use eval with relative_time and strptime.

<<base search>>
| eval SummaryDate = relative_time(strptime(Date, "%d/%m/%Y"), "@w+1d")
| chart sum(results) over SummaryDate

Since "@w" snaps to Sunday, we use "+1d" to start the week on Monday.

Here's another way using the bin command.

<<base search>>
| bin _time span=1w
``` Convert _time from Sundays to Mondays ```
| eval SummaryDate = _time+86400
| chart sum(results) over SummaryDate

 

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎06-20-2024 04:10 PM

bin command also needs snap to, i.e.

| bin _time span=1w@w

or 

| bin _time span=1w aligntime=@w+1d

otherwise it just gives you 7 day chunks.

 

Reply
Solved! Jump to solution

raysonjoberts
Path Finder
‎06-20-2024 04:03 PM

Works perfectly, thank you! I was dancing all around it but could not nail it down. That did it for me!

Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...