Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can you restrict timechart to display only weekdays?

Glenn
Builder
‎04-05-2012 09:15 AM

I know how to exclude certain days from your search results: http://splunk-base.splunk.com/answers/1367/how-do-you-exclude-certain-days-from-a-time-range

But if you then pipe these results through timechart, the time line covers all days, and you just have gaps where the weekdays fall.

We have this requirement as we need to report on daily averages over time, but the values on weekends are skewed as the number of samples drops significantly. It appears that there are spikes in the data which misleads the user.

Tags (2)
0 Karma
Reply

cvajs
Contributor
‎04-05-2012 11:20 AM

example (mon-fri)
index=cisco_esa (date_wday=monday OR date_wday=tuesday OR date_wday=wednesday OR date_wday=thursday OR date_wday=friday)

index=cisco_esa (date_wday!=saturday AND date_wday!=sunday)

example (sat and sun only)
index=cisco_esa (date_wday!=monday AND date_wday!=tuesday AND date_wday!=wednesday AND date_wday!=thursday AND date_wday!=friday)

index=cisco_esa (date_wday=saturday OR date_wday=sunday)

then pipe as needed.
see http://docs.splunk.com/Documentation/Splunk/4.3.1/User/UseDefaultAndInternalFields

Reply

cvajs
Contributor
‎04-05-2012 07:54 PM

then create separate charts (views) for only the timeframes that contain the successive days this way the chart(s) wont have breaks, etc. i dunno if you can tell stats timechart or chart to skip time.

0 Karma
Reply

Glenn
Builder
‎04-05-2012 05:16 PM

Hi, thanks for your attempt. But unfortunately (at least when I view it in the report builder) timechart does not behave as you believe in 4.3.1 - it draws a chart containing the entire time span, and the weekend days which I have excluded have no data, ie. gaps/breaks in the lines. This looks a bit stupid.

0 Karma
Reply

cvajs
Contributor
‎04-05-2012 11:58 AM

ok, misread the question, but the again, not really sure what the question is. timechart will chart the data from the search and if a day has no data then that day avg will be zero. i believe the timechart will have a timeline of whatever your search was, so if you say only sat and sun over last 3 weeks then timechart will show 3 weeks with only data on sat and sun, etc.

0 Karma
Reply

sowings
Splunk Employee
Splunk Employee
‎04-05-2012 11:19 AM

Would a logarithmic scale make sense, so that the spikes are less pronounced?

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...