Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I compare a Saturday to another Saturday

approachct
Path Finder
‎02-13-2011 11:23 PM

I want to compare the results from one Saturday to 3-4 prior Saturdays. The query I am using is created from the postings here and returns the # of events/second that were logged for a particular host.

host="Prod_LogHistory"| eval count=1 | timechart per_second(count) as events_per_second

I would like to see a line chart that could show 3-4 Saturday's on the same chart.

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

carasso
Splunk Employee
Splunk Employee
‎12-06-2013 01:42 PM

Comparing week-over-week results used to a pain in Splunk, with complex date calculations. No more. Now there is a better way.

I wrote a convenient search command called "timewrap" that does it all, for arbitrary time periods.

... | timechart count span=1h | timewrap w

That's it!

If you want to limit it to a specific day of the week, add: 

... | where strftime(_time, "%A") == "Saturday"

http://apps.splunk.com/app/1645/

View solution in original post

Reply
Solved! Jump to solution
Solution

carasso
Splunk Employee
Splunk Employee
‎12-06-2013 01:42 PM

Comparing week-over-week results used to a pain in Splunk, with complex date calculations. No more. Now there is a better way.

I wrote a convenient search command called "timewrap" that does it all, for arbitrary time periods.

... | timechart count span=1h | timewrap w

That's it!

If you want to limit it to a specific day of the week, add: 

... | where strftime(_time, "%A") == "Saturday"

http://apps.splunk.com/app/1645/

Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎02-15-2011 01:46 AM

host="Prod_LogHistory" date_wday=saturday earliest=-4w@w6 | eval count=1 | timechart span=24h per_second(count) as events_per_second

Reply
Solved! Jump to solution

approachct
Path Finder
‎04-08-2011 03:38 PM

This works to just give me the two days, but there is a large gap in the graph. Is there a way to see the prior weekday on the same graph at a same week day.

0 Karma
Reply
Solved! Jump to solution

Ron_Naken
Splunk Employee
Splunk Employee
‎02-14-2011 02:51 AM

Is "| eval count=1" leftover text from a test?

0 Karma
Reply
Solved! Jump to solution

Ron_Naken
Splunk Employee
Splunk Employee
‎02-14-2011 02:23 AM

You could probably do it like this:

host="Prod_LogHistory" earliest=-1mon@w6 | timechart span=1w per_second(count) as events_per_second

That should snap the date back 1 month, round it to Saturday, then show a timechart with 1 week intervals from Saturday.

Reply
Get Updates on the Splunk Community!

Your Guide to Splunk Digital Experience Monitoring

A flawless digital experience isn't just an advantage, it's key to customer loyalty and business success. But ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...