I'm trying to build a saved search that aggregates data week over week on Sunday to Sunday boundaries. My search is correctly aggregating the data. When I try to visualize it with Timechart the tick marks are on Monday to Monday boundaries. Is there a way to correct this behavior?
index="closed-case-data" OR index="open-case-data" earliest="05/28/2017:00:00:00" latest=-0w@w0
| dedup case_number
| timechart span=1w@w0 count by eventtype
| rename cases as "Cases", events as "Events", incidents as "Incidents"
Try this you can get the data for whole week.
In a Week starting from Sunday and ending on Monday you can get the time chart..
But not for Sunday to Sunday on Timechart..
You can get Sunday to Sunday data without Timechart in the events (eg : index=* earliest=@w0 latest=+7d@w7).
index=* earliest=@w0 latest=+7d@w7
| timechart count by host