Splunk Search

How do you change a span of 1 week time to start from Saturday to friday?


I have data and I need to visualize for a span of 1 week. I.e: it takes data from Sunday to Saturday.

But, I want a span of 1 week to group data from Saturday to Friday.

0 Karma


Sorry for the late response but I just had a similar issue and found your unanswered inquiry.  Perhaps this will help the next person that runs across this post.

| tstats count WHERE index=* earliest=-8w@w6 latest=+1w@w6 GROUPBY _time span=1h

| timechart span=1h partial=f sum(count)

| timewrap 1week align=end




By default the timewrap aligns to the end of your search time which defaults to now().  I did not have to add it above but did so to demonstrate the additional syntax that comes with timewrap and options are available.

Adding latest to my SPL search function I override the end search time frame of now() and force a future look ahead until end of 1 week.  This ensures that in the visualization you maintain a view of value in progress over time for current week.  The \@w6 is where the secret to forcing days comes in to play.  By using this function of the time you are overriding the default snap to as Sunday to Sunday. The value 6 indicates Saturday so now your graph will visualize from Saturday 00:00 thru Friday 23:59:59.999.  You can select any window you want by manipulating that time modifier configuration.
I would add that you do not have to do the same with the earliest but the impact to the visualization may be unpredictable so would recommend aligning the two as best practice.

Splunk Employee
Splunk Employee

Hi @premranjithj

Did the answer below solve your problem? If so, please resolve this post by approving it! If your problem is still not solved, keep us updated so that someone else can help ya. Thanks for posting!

0 Karma


@mstjohn_splunk help with the solution

0 Karma



Not sure if I fully undertstand your question but I think you could start looking at the timewrap command:

Display a timechart that has a span of 1 day for each count in a week over week comparison table. Each table column, which is the series, is 1 week of time.

... | timechart count span=1d | timewrap 1week

0 Karma


usualy Span=1 week groups data from monday 00:00 hrs to Sunday 23.59 hrs. instead i want the span to start from Saturday 00::00hrs to friday 23.59 hrs.

0 Karma


Try below. It will start the bin from Saturday.

| bin span=1w@w6 _time


For Monday it will be

| bin span=1w@w1 _time


Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...