Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Get results per week for custom _time field

utk123
Path Finder
‎11-10-2020 02:14 AM

Hello,

I am running a search for last 7 days results, and i am using fixed_date field as _time field.

fixed_date can have any value in last 1 year, so I filtering for results of last 6 months. 
I want the weekly results to show for every Monday. Below query shows results for last 2 Mondays, but then it pickup Thursday. 

 

 

 

index=abcd sourcetype=abcd (IP=x.x.x.x OR IP=y.y.y.y)
| eval _time=strptime(fixed_date,"%Y-%m-%d")
| where _time > relative_time(now(), "-6mon")
| bin _time span=w@w1
| stats count by IP ID _time
| stats count as "Fixed vulnerabilities" by _time


Results I get:
_time                                   Fixed vulnerabilities
2020-05-07                      3678
2020-05-14                      1455
....<few weekly results for total 6 months>

......

2020-10-22                      5543

2020-10-29                      2212

2020-11-02                      7732

2020-11-09                       2213

 

 

Only last 2 are Mondays, but all before those are Thursdays. how to get it for every Monday?

Labels (1)
Labels
Tags (3)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-10-2020 03:40 AM

What you are doing looks right, however, you could try aligning your earliest date to a Monday as well i.e 

| where _time > relative_time(now(), "-6mon@w1")

Another possibility is perhaps all your fixed_dates apart from the last couple of weeks are Thursdays?

0 Karma
Reply

utk123
Path Finder
‎11-10-2020 06:00 PM

this doesn't work. same results. 

fixed_dates got results every day, not just monday or thursday. But I want to combine results for a week to Monday or a fixed day in a week, which is not working.

It's because I am running a search for last 7 days, and so I only see last 2 Mondays. 

If I run the same search for last 6 months, then I see results for every Monday, but then the numbers are not correct. 

So I need to run it for last 7 days only to see latest results. 

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...