Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do you change a span of 1 week time to start from Saturday to friday?

DataOrg
Builder
‎11-23-2018 04:07 AM

I have data and I need to visualize for a span of 1 week. I.e: it takes data from Sunday to Saturday.

But, I want a span of 1 week to group data from Saturday to Friday.

0 Karma
Reply

dural_yyz
Communicator
‎07-15-2020 09:09 AM

Sorry for the late response but I just had a similar issue and found your unanswered inquiry.  Perhaps this will help the next person that runs across this post.

| tstats count WHERE index=* earliest=-8w@w6 latest=+1w@w6 GROUPBY _time span=1h

| timechart span=1h partial=f sum(count)

| timewrap 1week align=end

Explination:

https://docs.splunk.com/Documentation/Splunk/8.0.4/SearchReference/Timewrap

https://docs.splunk.com/Documentation/Splunk/8.0.5/SearchReference/SearchTimeModifiers

By default the timewrap aligns to the end of your search time which defaults to now().  I did not have to add it above but did so to demonstrate the additional syntax that comes with timewrap and options are available.

Adding latest to my SPL search function I override the end search time frame of now() and force a future look ahead until end of 1 week.  This ensures that in the visualization you maintain a view of value in progress over time for current week.  The \@w6 is where the secret to forcing days comes in to play.  By using this function of the time you are overriding the default snap to as Sunday to Sunday. The value 6 indicates Saturday so now your graph will visualize from Saturday 00:00 thru Friday 23:59:59.999.  You can select any window you want by manipulating that time modifier configuration.
I would add that you do not have to do the same with the earliest but the impact to the visualization may be unpredictable so would recommend aligning the two as best practice.

Reply

mstjohn_splunk
Splunk Employee
Splunk Employee
‎11-28-2018 04:24 PM

Hi @premranjithj

Did the answer below solve your problem? If so, please resolve this post by approving it! If your problem is still not solved, keep us updated so that someone else can help ya. Thanks for posting!

0 Karma
Reply

DataOrg
Builder
‎12-06-2018 10:15 PM

@mstjohn_splunk help with the solution

0 Karma
Reply

Azeemering
Builder
‎11-23-2018 04:58 AM

Hi,

Not sure if I fully undertstand your question but I think you could start looking at the timewrap command:

Display a timechart that has a span of 1 day for each count in a week over week comparison table. Each table column, which is the series, is 1 week of time.

... | timechart count span=1d | timewrap 1week

0 Karma
Reply

DataOrg
Builder
‎12-06-2018 10:14 PM

usualy Span=1 week groups data from monday 00:00 hrs to Sunday 23.59 hrs. instead i want the span to start from Saturday 00::00hrs to friday 23.59 hrs.

0 Karma
Reply

armesh
Engager
‎11-22-2023 08:51 AM

Try below. It will start the bin from Saturday.

| bin span=1w@w6 _time

 

For Monday it will be

| bin span=1w@w1 _time

 

Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...