Solved: How to edit my search to display data on a weekly ...

prathikpisplunk · ‎11-27-2016

Hi All,

For a trend chart, I have data for the following dates

2016-10-29  - saturday
2016-11-05  - saturday
2016-11-12  - saturday
2016-11-15  - Tuesday
2016-11-26  - saturday

i want a weekly chart which shows saturday's date ( last day of every week) on the axis
here 15 Nov's data also should be shown as 2016-11-19 (saturday's date). How can I do it?

Currently I am using this search

index ="64581-np" earliest=-24w@w6 latest=now sourcetype = "fn_details" matchConfidence!="Not Vulnerable"      
    [
    | tstats max(_time) as maxTime WHERE index ="64581-np" earliest=-24w@w7 sourcetype="fn_details" by source _time span=1w         
    | sort -maxTime         
    | stats first(source) as source by _time         
    | fields source]     
| fields fieldNoticeId,matchConfidence,source    
| eval _time = _time + (86400*7)
| eval _time=if(_time>now(),relative_time(now(),"@d"),_time) 
| eval dayWeek =strftime(_time,"%Y-%m-%d")  
| eval workField = fieldNoticeId.":".dayWeek    
| dedup workField,matchConfidence 
| replace "Potentially Vulnerable" with "Potentially" in matchConfidence    
| stats list(matchConfidence) as matchConfidence by workField    
| eval statusOuput=if(matchConfidence LIKE "Potentially" AND !(matchConfidence LIKE "Vulnerable"),"Potentially Vulnerable","Vulnerable")    
| eval id=mvindex(split(workField,":"),0)    
| eval dayWeek=mvindex(split(workField,":"),1)
| chart dc(id)  over dayWeek by statusOuput

which is giving me below result (dates):

Help much appreciated!

cmerriman · ‎11-28-2016

add this to your search

| eval _time=strftime(relative_time(_time,"@w+6d"),"%D")

that should push all _time to the following Saturday.

View solution in original post

cmerriman · ‎11-28-2016

add this to your search

| eval _time=strftime(relative_time(_time,"@w+6d"),"%D")

that should push all _time to the following Saturday.

prathikpisplunk · ‎11-29-2016

it seems to be working..can you please explain why @w+6d ? Also if the last data uploaded data is middle of the week or today's date ... it shouldnt push to future saturday.

cmerriman · ‎11-29-2016

so, @w+6d snaps _time to the beginning of the week on Sunday and then adds 6 days to it, making _time the end of the week on Saturday.

so if it's the current week, you don't want the data? or you want it to display current date?

| eval _time=if(strftime(relative_time(now(),"@w"),"%D")== strftime(relative_time(_time,"@w"),"%D"),strftime(_time,"%D"), strftime(relative_time(_time,"@w+6d"),"%D"))

something like this might work for you. the first string case says if the current time snapped to Sunday equals the event timestamp snapped to Sunday, then just use that timestamp, otherwise use the following Saturday.

prathikpisplunk · ‎11-29-2016

if is it for past three weeks data.... if the data is available on saturday, then i need saturday.
if it is middle of the week day , then it has to be moved to saturday.
if it is data is pushed today (current day) and it is not saturday , then we have to show the same (current date).

I hope all these conditions are taken care in the above? Please let me know

I will test with different data available....thanks for your input

How to edit my search to display data on a weekly chart?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk