Splunk Search

Change x axis _time display to weekly instead of daily

Explorer

So I'm aiming for a month's worth of data to be displayed as "Week 1, Week 2, Week 3, Week 4" instead of by "Apr 13, Apr 30, etc."

I've been formatting both my XML and search string but to no avail. Any suggestions?

0 Karma
1 Solution

SplunkTrust
SplunkTrust

You could either use the calendar week %V

your search | eval week=strftime(_time,"%V") |stats count by week

Or

your search|eval week=strftime(relative_time(_time,"@w1"),"%Y-%m-%d")|stats count by week

or if you want to specifically display week number then,

your search|eval week=strftime(relative_time(_time,"@w1"),"%Y-%m-%d")|stats count by week|streamstats count as weeknum|eval week="Week".weeknum|fields - weeknum

View solution in original post

SplunkTrust
SplunkTrust

You could either use the calendar week %V

your search | eval week=strftime(_time,"%V") |stats count by week

Or

your search|eval week=strftime(relative_time(_time,"@w1"),"%Y-%m-%d")|stats count by week

or if you want to specifically display week number then,

your search|eval week=strftime(relative_time(_time,"@w1"),"%Y-%m-%d")|stats count by week|streamstats count as weeknum|eval week="Week".weeknum|fields - weeknum

View solution in original post

SplunkTrust
SplunkTrust

@link22, does it work for you?

0 Karma

Explorer

It did! Thank you so much, you really helped me a lot!

0 Karma