Splunk Search

How can you restrict a timechart to display only weekdays?

philallen1
Path Finder

Hi

This has been asked before, over 18 month's ago, and there was no answer to it.
http://answers.splunk.com/answers/44743/how-can-you-restrict-timechart-to-display-only-weekdays

Has anyone got any idea how to remove certain days from a timechart? (In my case: weekends) I can remove them from the search, by using

date_wday!=saturday date_wday!=sunday

...but this is then displayed on the timechart like so (i.e. with the Sat and Sun data as "zero":

alt text

I want the timechart to exclude the Sat and Sun from the x axis completely. Any ideas?

1 Solution

somesoni2
Revered Legend

Try this

| your time chart search | eval date_wday=lower(strftime(_time,"%A")) |where NOT (date_wday=saturday OR date_wday=sunday) | fields - date_wday

View solution in original post

somesoni2
Revered Legend

Try this

| your time chart search | eval date_wday=lower(strftime(_time,"%A")) |where NOT (date_wday=saturday OR date_wday=sunday) | fields - date_wday

philallen1
Path Finder

That works Martin. Thanks a lot guys.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Try again putting his pipes after the timechart, and put the saturday and sunday after the equal signs in quotes:

... | timechart ... | eval date_wday=lower(strftime(_time,"%A")) |where NOT (date_wday="saturday" OR date_wday="sunday") | fields - date_wday

philallen1
Path Finder

Hi somesoni2
I couldn't get this to work...
My current search is:

sourcetype="UserLogs" UserName=%star% App=%star% "started in" OR "initialised in" | timechart count(App)

I've tried adding in your 'eval', 'where' and 'fields' commands in after and before the 'timechart' command, but with no luck...

0 Karma

gfuente
Motivator

Hello

Have you tried to use a chart instead of a timechart command. Something like:

your search ... date_wday!=saturday date_wday!=sunday | bin span=1d _time | chart count by _time

Regards

gfuente
Motivator

Hello,

I don't see the point of your first question if you only get data from last 24 hours, as you won't need to exclude data.

Anyway, i think you could calculate the buckets size dinamycally using this:
addinfo : to include searh earliest and latest time in epoch. Then substract the earliest to the latest, you get the difference in seconds. Then use eval with a case like:
case(diff<86000,"1h",diff>86000,"1d"). This will calculate the buckets size for your bin command

Regards

0 Karma

davebrooking
Contributor

Hi Phil
In the search reference for the bin command, http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Bin there are 4 bucketing options :
bins=
minspan=
span= |

Dave

0 Karma

philallen1
Path Finder

Hi Dave
What exactly do you mean? I've tried googling what you suggest but can't fine anything. Could you give me a pointer to some documentation? I couldn't see anything in the 'bin' docs...

0 Karma

davebrooking
Contributor

I don't have a Splunk instance to check this on, but could you replace the span=1d in the bin command with the bins= option?

0 Karma

philallen1
Path Finder

Your answer does what I want - so thanks a lot for responding so promptly.

I do have a slight issue: because I use a timepicker on my dashboard, the x axis gets very crowded when I select a wide time range. The other issue is when I select a small time range (i.e. last 24 hours) because the data is bucketed into 'days' I only get 1 point on my chart - whereas before the timechart would cleverly adjust the x axis into hours.

If there's a solution to exclude weekends from a timechart, rather than a chart, then I'm all ears still and will award karma points.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...