Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I compare a Saturday to another Saturday

approachct
Path Finder
‎02-13-2011 11:23 PM

I want to compare the results from one Saturday to 3-4 prior Saturdays. The query I am using is created from the postings here and returns the # of events/second that were logged for a particular host.

host="Prod_LogHistory"| eval count=1 | timechart per_second(count) as events_per_second

I would like to see a line chart that could show 3-4 Saturday's on the same chart.

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

carasso
Splunk Employee
Splunk Employee
‎12-06-2013 01:42 PM

Comparing week-over-week results used to a pain in Splunk, with complex date calculations. No more. Now there is a better way.

I wrote a convenient search command called "timewrap" that does it all, for arbitrary time periods.

... | timechart count span=1h | timewrap w

That's it!

If you want to limit it to a specific day of the week, add: 

... | where strftime(_time, "%A") == "Saturday"

http://apps.splunk.com/app/1645/

View solution in original post

Reply
Solved! Jump to solution
Solution

carasso
Splunk Employee
Splunk Employee
‎12-06-2013 01:42 PM

Comparing week-over-week results used to a pain in Splunk, with complex date calculations. No more. Now there is a better way.

I wrote a convenient search command called "timewrap" that does it all, for arbitrary time periods.

... | timechart count span=1h | timewrap w

That's it!

If you want to limit it to a specific day of the week, add: 

... | where strftime(_time, "%A") == "Saturday"

http://apps.splunk.com/app/1645/

Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎02-15-2011 01:46 AM

host="Prod_LogHistory" date_wday=saturday earliest=-4w@w6 | eval count=1 | timechart span=24h per_second(count) as events_per_second

Reply
Solved! Jump to solution

approachct
Path Finder
‎04-08-2011 03:38 PM

This works to just give me the two days, but there is a large gap in the graph. Is there a way to see the prior weekday on the same graph at a same week day.

0 Karma
Reply
Solved! Jump to solution

Ron_Naken
Splunk Employee
Splunk Employee
‎02-14-2011 02:51 AM

Is "| eval count=1" leftover text from a test?

0 Karma
Reply
Solved! Jump to solution

Ron_Naken
Splunk Employee
Splunk Employee
‎02-14-2011 02:23 AM

You could probably do it like this:

host="Prod_LogHistory" earliest=-1mon@w6 | timechart span=1w per_second(count) as events_per_second

That should snap the date back 1 month, round it to Saturday, then show a timechart with 1 week intervals from Saturday.

Reply
Get Updates on the Splunk Community!

Blueprints for High-Maturity Operations: Splunk Lantern Articles on SOAR, ES 8.4, ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

Simplifying the Analyst Experience with Finding-based Detections

    Splunk invites you to an engaging Tech Talk focused on streamlining security operations with ...

[Puzzles] Solve, Learn, Repeat: Word Search

This challenge was first posted on Slack #puzzles channelThis puzzle is based on a letter grid containing ...