Splunk Search

How come my chart is not displaying in the right order?

Path Finder

In order to remove weekend days completly from my timechart, I created a request :

My Base Search

| eval date_wday=lower(strftime(_time,"%A"))
| eval date_w=strftime(_time,"%d/%m") 
| where NOT (date_wday = "sunday" OR date_wday = "saturday")
| chart count(foo) as "foo", count(bar) as "bar" by date_w
| rename date_w as "Working Days"

And I get this result, with the problem that days are not in the right order :

alt text

Even if I add "| sort date_w " in my search, it won't display properly.

Is there a way to correct this ?

Tags (4)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

@Zakary_n, change | eval date_w=strftime(_time,"%d/%m") to | eval date_w=strftime(_time,"%m/%d"),

Also check if default extracted field date_wday already exists with your data then you will not need | eval date_wday=lower(strftime(_time,"%A")) and you can move NOT (date_wday = "sunday" OR date_wday = "saturday") to base search as (date_wday!= "sunday" OR date_wday!="saturday").

Try the following search:

My Base Search (date_wday!="sunday" OR date_wday!="saturday")
| eval date_w=strftime(_time,"%Y/%m/%d") 
| chart count(foo) as "foo", count(bar) as "bar" by date_w
| rename date_w as "Working Days"
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

@Zakary_n, change | eval date_w=strftime(_time,"%d/%m") to | eval date_w=strftime(_time,"%m/%d"),

Also check if default extracted field date_wday already exists with your data then you will not need | eval date_wday=lower(strftime(_time,"%A")) and you can move NOT (date_wday = "sunday" OR date_wday = "saturday") to base search as (date_wday!= "sunday" OR date_wday!="saturday").

Try the following search:

My Base Search (date_wday!="sunday" OR date_wday!="saturday")
| eval date_w=strftime(_time,"%Y/%m/%d") 
| chart count(foo) as "foo", count(bar) as "bar" by date_w
| rename date_w as "Working Days"
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

Path Finder

@niketnilay yup I did that. It's a fine workaround I guess, thank you.
Now if they ask me at my work to change the format of the date I'll legit cry lol.
Thanks again

0 Karma

SplunkTrust
SplunkTrust

@Zakary_n there may be some nasty workaround possible in case that is absolutely required. Until then happy path is to use YYYY/mm/dd for string time sorting. 🙂

I have converted my comment to answer. Please accept to mark this as answered!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Contributor

Hello,

Your problem here is using chart that will sort your data alphabetically.
Try like that :

My Base Search
| eval date_wday=lower(strftime(_time,"%A"))
| eval date_w=strftime(_time,"%d/%m") 
| where NOT (date_wday = "sunday" OR date_wday = "saturday")
| timechart span=1d count(foo) as "foo", count(bar) as "bar" 

That should work for you, let me know 🙂

Path Finder

Hey KailA, thank you for your response!

Unfortunatly, with timechart it's impossible to cut weekend days out from my display.

See this question I asked earlier about this :

https://answers.splunk.com/answers/729005/how-do-you-completely-remove-saturdays-and-sundays.html#co...

0 Karma

Contributor

And if you add | where foo != 0 AND bar != 0 at the end ?

0 Karma

Path Finder

I might need to do it this way in the near future actually, depending on what they tell me to do at work.
Thank you for your help @KailA !

0 Karma