Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How do I compare a Saturday to another Saturday

approachct
Path Finder
‎02-13-2011 11:23 PM

I want to compare the results from one Saturday to 3-4 prior Saturdays. The query I am using is created from the postings here and returns the # of events/second that were logged for a particular host.

host="Prod_LogHistory"| eval count=1 | timechart per_second(count) as events_per_second

I would like to see a line chart that could show 3-4 Saturday's on the same chart.

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

carasso
Splunk Employee
Splunk Employee
‎12-06-2013 01:42 PM

Comparing week-over-week results used to a pain in Splunk, with complex date calculations. No more. Now there is a better way.

I wrote a convenient search command called "timewrap" that does it all, for arbitrary time periods.

... | timechart count span=1h | timewrap w

That's it!

If you want to limit it to a specific day of the week, add: 

... | where strftime(_time, "%A") == "Saturday"

http://apps.splunk.com/app/1645/

View solution in original post

Reply
Solved! Jump to solution
Solution

carasso
Splunk Employee
Splunk Employee
‎12-06-2013 01:42 PM

Comparing week-over-week results used to a pain in Splunk, with complex date calculations. No more. Now there is a better way.

I wrote a convenient search command called "timewrap" that does it all, for arbitrary time periods.

... | timechart count span=1h | timewrap w

That's it!

If you want to limit it to a specific day of the week, add: 

... | where strftime(_time, "%A") == "Saturday"

http://apps.splunk.com/app/1645/

Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎02-15-2011 01:46 AM

host="Prod_LogHistory" date_wday=saturday earliest=-4w@w6 | eval count=1 | timechart span=24h per_second(count) as events_per_second

Reply
Solved! Jump to solution

approachct
Path Finder
‎04-08-2011 03:38 PM

This works to just give me the two days, but there is a large gap in the graph. Is there a way to see the prior weekday on the same graph at a same week day.

0 Karma
Reply
Solved! Jump to solution

Ron_Naken
Splunk Employee
Splunk Employee
‎02-14-2011 02:51 AM

Is "| eval count=1" leftover text from a test?

0 Karma
Reply
Solved! Jump to solution

Ron_Naken
Splunk Employee
Splunk Employee
‎02-14-2011 02:23 AM

You could probably do it like this:

host="Prod_LogHistory" earliest=-1mon@w6 | timechart span=1w per_second(count) as events_per_second

That should snap the date back 1 month, round it to Saturday, then show a timechart with 1 week intervals from Saturday.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...