Splunk Search

How come my chart is not displaying in the right order?

Zakary_n
Path Finder

In order to remove weekend days completly from my timechart, I created a request :

My Base Search

| eval date_wday=lower(strftime(_time,"%A"))
| eval date_w=strftime(_time,"%d/%m") 
| where NOT (date_wday = "sunday" OR date_wday = "saturday")
| chart count(foo) as "foo", count(bar) as "bar" by date_w
| rename date_w as "Working Days"

And I get this result, with the problem that days are not in the right order :

alt text

Even if I add "| sort date_w " in my search, it won't display properly.

Is there a way to correct this ?

Tags (4)
0 Karma
1 Solution

niketn
Legend

@Zakary_n, change | eval date_w=strftime(_time,"%d/%m") to | eval date_w=strftime(_time,"%m/%d"),

Also check if default extracted field date_wday already exists with your data then you will not need | eval date_wday=lower(strftime(_time,"%A")) and you can move NOT (date_wday = "sunday" OR date_wday = "saturday") to base search as (date_wday!= "sunday" OR date_wday!="saturday").

Try the following search:

My Base Search (date_wday!="sunday" OR date_wday!="saturday")
| eval date_w=strftime(_time,"%Y/%m/%d") 
| chart count(foo) as "foo", count(bar) as "bar" by date_w
| rename date_w as "Working Days"
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

niketn
Legend

@Zakary_n, change | eval date_w=strftime(_time,"%d/%m") to | eval date_w=strftime(_time,"%m/%d"),

Also check if default extracted field date_wday already exists with your data then you will not need | eval date_wday=lower(strftime(_time,"%A")) and you can move NOT (date_wday = "sunday" OR date_wday = "saturday") to base search as (date_wday!= "sunday" OR date_wday!="saturday").

Try the following search:

My Base Search (date_wday!="sunday" OR date_wday!="saturday")
| eval date_w=strftime(_time,"%Y/%m/%d") 
| chart count(foo) as "foo", count(bar) as "bar" by date_w
| rename date_w as "Working Days"
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Zakary_n
Path Finder

@niketnilay yup I did that. It's a fine workaround I guess, thank you.
Now if they ask me at my work to change the format of the date I'll legit cry lol.
Thanks again

0 Karma

niketn
Legend

@Zakary_n there may be some nasty workaround possible in case that is absolutely required. Until then happy path is to use YYYY/mm/dd for string time sorting. 🙂

I have converted my comment to answer. Please accept to mark this as answered!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

KailA
Contributor

Hello,

Your problem here is using chart that will sort your data alphabetically.
Try like that :

My Base Search
| eval date_wday=lower(strftime(_time,"%A"))
| eval date_w=strftime(_time,"%d/%m") 
| where NOT (date_wday = "sunday" OR date_wday = "saturday")
| timechart span=1d count(foo) as "foo", count(bar) as "bar" 

That should work for you, let me know 🙂

Zakary_n
Path Finder

Hey KailA, thank you for your response!

Unfortunatly, with timechart it's impossible to cut weekend days out from my display.

See this question I asked earlier about this :

https://answers.splunk.com/answers/729005/how-do-you-completely-remove-saturdays-and-sundays.html#co...

0 Karma

KailA
Contributor

And if you add | where foo != 0 AND bar != 0 at the end ?

0 Karma

Zakary_n
Path Finder

I might need to do it this way in the near future actually, depending on what they tell me to do at work.
Thank you for your help @KailA !

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...