Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I compare a Saturday to another Saturday

approachct
Path Finder
‎02-13-2011 11:23 PM

I want to compare the results from one Saturday to 3-4 prior Saturdays. The query I am using is created from the postings here and returns the # of events/second that were logged for a particular host.

host="Prod_LogHistory"| eval count=1 | timechart per_second(count) as events_per_second

I would like to see a line chart that could show 3-4 Saturday's on the same chart.

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

carasso
Splunk Employee
Splunk Employee
‎12-06-2013 01:42 PM

Comparing week-over-week results used to a pain in Splunk, with complex date calculations. No more. Now there is a better way.

I wrote a convenient search command called "timewrap" that does it all, for arbitrary time periods.

... | timechart count span=1h | timewrap w

That's it!

If you want to limit it to a specific day of the week, add: 

... | where strftime(_time, "%A") == "Saturday"

http://apps.splunk.com/app/1645/

View solution in original post

Reply
Solved! Jump to solution
Solution

carasso
Splunk Employee
Splunk Employee
‎12-06-2013 01:42 PM

Comparing week-over-week results used to a pain in Splunk, with complex date calculations. No more. Now there is a better way.

I wrote a convenient search command called "timewrap" that does it all, for arbitrary time periods.

... | timechart count span=1h | timewrap w

That's it!

If you want to limit it to a specific day of the week, add: 

... | where strftime(_time, "%A") == "Saturday"

http://apps.splunk.com/app/1645/

Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎02-15-2011 01:46 AM

host="Prod_LogHistory" date_wday=saturday earliest=-4w@w6 | eval count=1 | timechart span=24h per_second(count) as events_per_second

Reply
Solved! Jump to solution

approachct
Path Finder
‎04-08-2011 03:38 PM

This works to just give me the two days, but there is a large gap in the graph. Is there a way to see the prior weekday on the same graph at a same week day.

0 Karma
Reply
Solved! Jump to solution

Ron_Naken
Splunk Employee
Splunk Employee
‎02-14-2011 02:51 AM

Is "| eval count=1" leftover text from a test?

0 Karma
Reply
Solved! Jump to solution

Ron_Naken
Splunk Employee
Splunk Employee
‎02-14-2011 02:23 AM

You could probably do it like this:

host="Prod_LogHistory" earliest=-1mon@w6 | timechart span=1w per_second(count) as events_per_second

That should snap the date back 1 month, round it to Saturday, then show a timechart with 1 week intervals from Saturday.

Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...