Splunk Search

How can I force a timechart to snap to the end of the week rather than beginning?

andimnf
Explorer

I have a very simple search to count the amount of emails delivered by week and display this in a timechart over the last 3 months.

This all works well, however the chart snaps to the day of the week the logs began. I've tried messing around with the advanced time offsets in the time picker, but it still only ever seems to snap to the start of the week. I would like to display this as the week ending date, as the count is for the emails that were delivered during that week.

e.g.
I'd like the snap points to be Mondays at 00:00, however I'd like the figure of that week to be the count of emails that came in during the previous week.

How can I do this?

My search is pretty simple (and could likely be made much more efficient):

index=mail sourcetype=mail from=* | regex from!=".*\@mydomain\.com" | timechart count span=7d

I'm running Splunk Enterprise 7.1.3

Thanks in advance.

0 Karma
1 Solution

koshyk
Super Champion

A simple trick is to add 7days time to your _time ?

 index=mail sourcetype=mail from=* | regex from!=".*\@mydomain\.com" | timechart count span=7d| eval _time=_time+(7*24*60*60)

The above will shift your chart by 7days ahead. But feel free to change it to 24hrs or something which fits you.

View solution in original post

koshyk
Super Champion

A simple trick is to add 7days time to your _time ?

 index=mail sourcetype=mail from=* | regex from!=".*\@mydomain\.com" | timechart count span=7d| eval _time=_time+(7*24*60*60)

The above will shift your chart by 7days ahead. But feel free to change it to 24hrs or something which fits you.

andrewtrobec
Motivator

I arrived at this conclusion as well... is there still no way of doing this with the timechart command?

0 Karma

andimnf
Explorer

Nice one! That's done it. Thanks.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...