How do I exclude Mondays from a Timechart

splunkuser2127 · ‎09-24-2021

There are no data on Mondays so my timecharts always dip to 0.

{search string} | eval date_wday=lower(strftime(_time,"%A")) | where NOT (date_wday=monday) | timechart span=1d count by ColName

Is there any way to make the timechart skip Mondays (not just set it to 0)?

PickleRick · ‎09-25-2021

Depends on what you want to achieve.

Generally, it depends on your timerange. If you want to have data points: Wed, Thu, Fri,Sat,Sun,Tue,Wed and so on, without any "spaces" between sunday and tuesday, you can't do that with simple timechart. As the name implies, timechart does a chart over time so it doesn't mind your data as much as time progress.

You can try timecharting, then filtering out mondays, then doing a chart (not timechart) of remaining values. (can't provide you with a resulting search, I'm on my mobile and don't have access to my splunk installation ATM).

BTW, don't you think it will be confusing for the recipient of your report if you skip every monday (especially if you want do draw a line or barchart from the resulting data)?

splunkuser2127 · ‎09-27-2021

It doesn't seem to be working for me, I can't turn a timechart into a regular chart (at least not in the way that's useful for me)

ITWhisperer · ‎09-24-2021

Try this way around

{search string} | timechart span=1d count by ColName | eval date_wday=lower(strftime(_time,"%A")) | where NOT (date_wday=monday)

splunkuser2127 · ‎09-24-2021

Same result, didn't work.

ITWhisperer · ‎09-24-2021

{search string} | timechart span=1d count by ColName | eval date_wday=lower(strftime(_time,"%A")) | where NOT (date_wday=monday)
| rename _time as time
| fieldformat time=strftime(time,"%Y/%m/%d")

splunkuser2127 · ‎09-24-2021

Same result, it doesn't work. Mondays still show up as 0

ITWhisperer · ‎09-24-2021

Are you putting Monday in quotes?

splunkuser2127 · ‎09-27-2021

No, but with or without doesn't work

ITWhisperer · ‎09-27-2021

Can you share your search as it stands now?

splunkuser2127 · ‎09-27-2021

This is one attempt:

{search} | timechart span=1d count by ColName | eval date_wday=lower(strftime(_time,"%A")) | where NOT (date_wday=monday) | chart max(date_wday), count by ColName

This is another:

{search} | bin span=1d _time | eval date_wday=lower(strftime(_time,"%A")) | where NOT (date_wday=monday) | chart count by ColName

This second one gives me a regular bar chart xaxis column name y axis count, not sure how to do a multiseries chart over time (without using timechart)

ITWhisperer · ‎09-27-2021

Try

| rename _time as time
| fieldformat time=strftime(time,"%Y/%m/%d")

As I suggested earlier

_time is treated as a special fieldname by the chart viz and it fills in the gaps e.g. Monday, by renaming it, you avoid that issue.

splunkuser2127 · ‎09-27-2021

I've tried it in your earlier suggestion, how do you want me to construct the search now?

How do I exclude Mondays from a Timechart

timechart

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life