Splunk Search

How to do a timechart of a week with a timewrap on the previous year?

Clovisa
Path Finder

Hi ! I am trying to display a timechart that gives the data of a week, and the data of the same week but one year earlier.
I have done something with timechart and timewrap that gives me that comparison, but also gives me the comparison of all the rest of the year. How can I just isolate a specific week ? Thanks !

My current request :

index="sales_2017" OR index="sales_2018" 
| timechart span=d count 
| timewrap y

What I got :
alt text

What I would like to have :
alt text

0 Karma
1 Solution

diogofgm
SplunkTrust
SplunkTrust

If you know the week number in the year you can try this:

index="sales_2017" OR index="sales_2018" 
| eval date_week_of_year = strftime(_time, "%U")
| where date_week_of_year = "<week you are after>"
| timechart span=d count 
| timewrap w
------------
Hope I was able to help you. If so, some karma would be appreciated.

View solution in original post

diogofgm
SplunkTrust
SplunkTrust

If you know the week number in the year you can try this:

index="sales_2017" OR index="sales_2018" 
| eval date_week_of_year = strftime(_time, "%U")
| where date_week_of_year = "<week you are after>"
| timechart span=d count 
| timewrap w
------------
Hope I was able to help you. If so, some karma would be appreciated.

Clovisa
Path Finder

I think the week numbers are different from one year to the other in my case so it doesn't work

0 Karma

diogofgm
SplunkTrust
SplunkTrust

You said you want "the data of a week, and the data of the same week but one year earlier"

For a moment forget about splunk. how do you accomplish this on paper, if not looking at the week number in the year? If i recall correctly all years have 52 weeks. This doesn't change regardless of the year. What does change is the day of the week a year starts.

This | eval date_week_of_year = strftime(_time, "%U") takes that in consideration by giving you the number of the week starting on Sunday and considering all theother days before the 1st Sunday as week 0.

If you want your week to start on monday you can switch %U to %W in this expression.

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...