Splunk Search

How can I force a timechart to snap to the end of the week rather than beginning?

Explorer

I have a very simple search to count the amount of emails delivered by week and display this in a timechart over the last 3 months.

This all works well, however the chart snaps to the day of the week the logs began. I've tried messing around with the advanced time offsets in the time picker, but it still only ever seems to snap to the start of the week. I would like to display this as the week ending date, as the count is for the emails that were delivered during that week.

e.g.
I'd like the snap points to be Mondays at 00:00, however I'd like the figure of that week to be the count of emails that came in during the previous week.

How can I do this?

My search is pretty simple (and could likely be made much more efficient):

index=mail sourcetype=mail from=* | regex from!=".*\@mydomain\.com" | timechart count span=7d

I'm running Splunk Enterprise 7.1.3

Thanks in advance.

0 Karma
1 Solution

Super Champion

A simple trick is to add 7days time to your _time ?

 index=mail sourcetype=mail from=* | regex from!=".*\@mydomain\.com" | timechart count span=7d| eval _time=_time+(7*24*60*60)

The above will shift your chart by 7days ahead. But feel free to change it to 24hrs or something which fits you.

View solution in original post

Super Champion

A simple trick is to add 7days time to your _time ?

 index=mail sourcetype=mail from=* | regex from!=".*\@mydomain\.com" | timechart count span=7d| eval _time=_time+(7*24*60*60)

The above will shift your chart by 7days ahead. But feel free to change it to 24hrs or something which fits you.

View solution in original post

Builder

I arrived at this conclusion as well... is there still no way of doing this with the timechart command?

0 Karma

Explorer

Nice one! That's done it. Thanks.

0 Karma