Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Get results per week for custom _time field

utk123
Path Finder
‎11-10-2020 02:14 AM

Hello,

I am running a search for last 7 days results, and i am using fixed_date field as _time field.

fixed_date can have any value in last 1 year, so I filtering for results of last 6 months. 
I want the weekly results to show for every Monday. Below query shows results for last 2 Mondays, but then it pickup Thursday. 

 

 

 

index=abcd sourcetype=abcd (IP=x.x.x.x OR IP=y.y.y.y)
| eval _time=strptime(fixed_date,"%Y-%m-%d")
| where _time > relative_time(now(), "-6mon")
| bin _time span=w@w1
| stats count by IP ID _time
| stats count as "Fixed vulnerabilities" by _time


Results I get:
_time                                   Fixed vulnerabilities
2020-05-07                      3678
2020-05-14                      1455
....<few weekly results for total 6 months>

......

2020-10-22                      5543

2020-10-29                      2212

2020-11-02                      7732

2020-11-09                       2213

 

 

Only last 2 are Mondays, but all before those are Thursdays. how to get it for every Monday?

Labels (1)
Labels
Tags (3)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-10-2020 03:40 AM

What you are doing looks right, however, you could try aligning your earliest date to a Monday as well i.e 

| where _time > relative_time(now(), "-6mon@w1")

Another possibility is perhaps all your fixed_dates apart from the last couple of weeks are Thursdays?

0 Karma
Reply

utk123
Path Finder
‎11-10-2020 06:00 PM

this doesn't work. same results. 

fixed_dates got results every day, not just monday or thursday. But I want to combine results for a week to Monday or a fixed day in a week, which is not working.

It's because I am running a search for last 7 days, and so I only see last 2 Mondays. 

If I run the same search for last 6 months, then I see results for every Monday, but then the numbers are not correct. 

So I need to run it for last 7 days only to see latest results. 

0 Karma
Reply
Get Updates on the Splunk Community!

There's No Place Like Chrome and the Splunk Platform

Watch On DemandMalware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

The Great Resilience Quest: 5th Leaderboard Update

The fifth leaderboard update for The Great Resilience Quest is out &gt;&gt; &#x1f3c6; Check out the ...

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...