Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to get data for last week and current week?

agupta13
Engager
‎08-07-2023 08:55 AM

I have data stored in the csv file, which contains the time field. I want the data for complete last week and also the data for current week.

Eg

Day1: 100
day2: 200.

.

.

.

.Day14:600



I want data from day1-day7 -> Current week and day7-14 -> Previous week

I am doing something like below, but it gives me data from current week 

 

| eval first_day_last_week=relative_time(relative_time(now(),"-1w@w"),"-1d@d"), last_day_last_week=relative_time(relative_time(now(),"-1w@w"),"+6d@d") 
| where _time>=first_day_last_week AND _time<=last_day_last_week

 


technically the data should not come up as today is the Aug 7 and it should not show as it is from current week

agupta13_0-1691423871567.png

 

Labels (4)
Labels
Tags (1)
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎08-07-2023 10:48 PM

As of August 8th (Australia) - the first day LAST week is 29th July and the last day last week is the 5th August - Sun-Sat. This would also be true in your case of Mon 7th August. The "Current week" is 7th-13th August.

Therefore the dates of the events you have are 3rd and 4th of August which is the Thu/Fri LAST week, so that data is giving what you are asking for.

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎08-07-2023 11:12 AM

I think you're overcomplicating that a bit.

If you just want to count by days or weeks why not starting with either

| bin _time span=1d

(or 1w)

And if you want to do some aggregation you could just timechart instead.

Anyway, even if you want to just filter, your method of calculating relative time vs relative time is a bit strange.

0 Karma
Reply
Get Updates on the Splunk Community!

Buttercup Games Tutorial Extension - part 9

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games Tutorial Extension - part 8

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Introducing the Splunk Developer Program!

Hey Splunk community! We are excited to announce that Splunk is launching the Splunk Developer Program in ...
li.common.scroll-to.top