Splunk Search

How can I force a timechart to snap to the end of the week rather than beginning?

andimnf
Explorer

I have a very simple search to count the amount of emails delivered by week and display this in a timechart over the last 3 months.

This all works well, however the chart snaps to the day of the week the logs began. I've tried messing around with the advanced time offsets in the time picker, but it still only ever seems to snap to the start of the week. I would like to display this as the week ending date, as the count is for the emails that were delivered during that week.

e.g.
I'd like the snap points to be Mondays at 00:00, however I'd like the figure of that week to be the count of emails that came in during the previous week.

How can I do this?

My search is pretty simple (and could likely be made much more efficient):

index=mail sourcetype=mail from=* | regex from!=".*\@mydomain\.com" | timechart count span=7d

I'm running Splunk Enterprise 7.1.3

Thanks in advance.

0 Karma
1 Solution

koshyk
Super Champion

A simple trick is to add 7days time to your _time ?

 index=mail sourcetype=mail from=* | regex from!=".*\@mydomain\.com" | timechart count span=7d| eval _time=_time+(7*24*60*60)

The above will shift your chart by 7days ahead. But feel free to change it to 24hrs or something which fits you.

View solution in original post

koshyk
Super Champion

A simple trick is to add 7days time to your _time ?

 index=mail sourcetype=mail from=* | regex from!=".*\@mydomain\.com" | timechart count span=7d| eval _time=_time+(7*24*60*60)

The above will shift your chart by 7days ahead. But feel free to change it to 24hrs or something which fits you.

andrewtrobec
Motivator

I arrived at this conclusion as well... is there still no way of doing this with the timechart command?

0 Karma

andimnf
Explorer

Nice one! That's done it. Thanks.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...