Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I compare a Saturday to another Saturday

approachct
Path Finder
‎02-13-2011 11:23 PM

I want to compare the results from one Saturday to 3-4 prior Saturdays. The query I am using is created from the postings here and returns the # of events/second that were logged for a particular host.

host="Prod_LogHistory"| eval count=1 | timechart per_second(count) as events_per_second

I would like to see a line chart that could show 3-4 Saturday's on the same chart.

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

carasso
Splunk Employee
Splunk Employee
‎12-06-2013 01:42 PM

Comparing week-over-week results used to a pain in Splunk, with complex date calculations. No more. Now there is a better way.

I wrote a convenient search command called "timewrap" that does it all, for arbitrary time periods.

... | timechart count span=1h | timewrap w

That's it!

If you want to limit it to a specific day of the week, add: 

... | where strftime(_time, "%A") == "Saturday"

http://apps.splunk.com/app/1645/

View solution in original post

Reply
Solved! Jump to solution
Solution

carasso
Splunk Employee
Splunk Employee
‎12-06-2013 01:42 PM

Comparing week-over-week results used to a pain in Splunk, with complex date calculations. No more. Now there is a better way.

I wrote a convenient search command called "timewrap" that does it all, for arbitrary time periods.

... | timechart count span=1h | timewrap w

That's it!

If you want to limit it to a specific day of the week, add: 

... | where strftime(_time, "%A") == "Saturday"

http://apps.splunk.com/app/1645/

Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎02-15-2011 01:46 AM

host="Prod_LogHistory" date_wday=saturday earliest=-4w@w6 | eval count=1 | timechart span=24h per_second(count) as events_per_second

Reply
Solved! Jump to solution

approachct
Path Finder
‎04-08-2011 03:38 PM

This works to just give me the two days, but there is a large gap in the graph. Is there a way to see the prior weekday on the same graph at a same week day.

0 Karma
Reply
Solved! Jump to solution

Ron_Naken
Splunk Employee
Splunk Employee
‎02-14-2011 02:51 AM

Is "| eval count=1" leftover text from a test?

0 Karma
Reply
Solved! Jump to solution

Ron_Naken
Splunk Employee
Splunk Employee
‎02-14-2011 02:23 AM

You could probably do it like this:

host="Prod_LogHistory" earliest=-1mon@w6 | timechart span=1w per_second(count) as events_per_second

That should snap the date back 1 month, round it to Saturday, then show a timechart with 1 week intervals from Saturday.

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...