- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Filtering with the week number
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I have a question: can we do a filtering with the week number
In my dashboard I have filtering on the period (yesterday, last week,last month ...), I want to add in this drop-down list the numbers of the weeks to be able to filtering on it
example: week 1: from the first of January to 07 January
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think I'm reading your question differently than the others who've answered. It looks to me like you want to be able to add some options into the time filter dropdown to allow users to search for events by week number. The good news: this is possible. The bad news: I don't think it's possible to do this by adding to the regular timepicker. But if you want a dashboard where the time filters are done in a custom dropdown that allows users to select the week, here's a template for doing that:
<form>
<label>test_timepicker</label>
<fieldset submitButton="false">
<input type="dropdown" token="week_timepicker">
<label>Week</label>
<choice value="w1">Week 1</choice>
<choice value="w2">Week 2</choice>
<choice value="w3">Week 3</choice>
<change>
<condition label="Week 1">
<set token="time_earliest">@y</set>
<set token="time_latest">@y+1w</set>
</condition>
<condition label="Week 2">
<set token="time_earliest">@y+1w</set>
<set token="time_latest">@y+2w</set>
</condition>
<condition label="Week 3">
<set token="time_earliest">@y+2w</set>
<set token="time_latest">@y+3w</set>
</condition>
</change>
</input>
</fieldset>
<row>
<panel>
<event>
<search>
<query>index=_internal</query>
<earliest>$time_earliest$</earliest>
<latest>$time_latest$</latest>
</search>
</event>
</panel>
</row>
</form>
You can add to this list of options and make it totally custom - some week options, some day options, etc. The key is to add a <choice> relating to the custom time period you want to specify and then add a <condition> element below that sets both tokens $time_earliest$ and $time_latest$, which are consumed by the panel below running a search. The values you'll use in the <condition> elements will be drawn from this guide: http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/SearchTimeModifiers
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think I'm reading your question differently than the others who've answered. It looks to me like you want to be able to add some options into the time filter dropdown to allow users to search for events by week number. The good news: this is possible. The bad news: I don't think it's possible to do this by adding to the regular timepicker. But if you want a dashboard where the time filters are done in a custom dropdown that allows users to select the week, here's a template for doing that:
<form>
<label>test_timepicker</label>
<fieldset submitButton="false">
<input type="dropdown" token="week_timepicker">
<label>Week</label>
<choice value="w1">Week 1</choice>
<choice value="w2">Week 2</choice>
<choice value="w3">Week 3</choice>
<change>
<condition label="Week 1">
<set token="time_earliest">@y</set>
<set token="time_latest">@y+1w</set>
</condition>
<condition label="Week 2">
<set token="time_earliest">@y+1w</set>
<set token="time_latest">@y+2w</set>
</condition>
<condition label="Week 3">
<set token="time_earliest">@y+2w</set>
<set token="time_latest">@y+3w</set>
</condition>
</change>
</input>
</fieldset>
<row>
<panel>
<event>
<search>
<query>index=_internal</query>
<earliest>$time_earliest$</earliest>
<latest>$time_latest$</latest>
</search>
</event>
</panel>
</row>
</form>
You can add to this list of options and make it totally custom - some week options, some day options, etc. The key is to add a <choice> relating to the custom time period you want to specify and then add a <condition> element below that sets both tokens $time_earliest$ and $time_latest$, which are consumed by the panel below running a search. The values you'll use in the <condition> elements will be drawn from this guide: http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/SearchTimeModifiers
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just a suggestion - Use @y@w to start from the first day of the week
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That will break at week boundaries defined by day of the week, not by Jan1-7, as requested.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| eval weeknr=strftime(_time,"%V")
Or use %U or %W depending on which definition of the week numbering you prefer. See also: http://php.net/manual/en/function.strftime.php
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, just add some conditional logic like this
| eval date=strftime(_time,"%d")
| eval week=case(date>0 AND date<8,"week1",date>7 AND date<15,"week2",date>15 AND date<22,"week3",1=1,"week4")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@taha13 did this work for you?
Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...
Preparing your Splunk Environment for OpenSSL3
Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector
