Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to group daily results by week more close together?

KalebeRS
Explorer
‎07-18-2023 06:59 AM

Hello,

I have this search for a chart that counts values weekly and divides then by day of the week.

Is there any option that I can do to show this graph a little more compact grouping the results daily in showing just the week like the screenshots examples?

 

KalebeRS_0-1689688738990.png

 

 

 

 

 

 

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-18-2023 07:08 AM

Hi @KalebeRS ,

let me understand: you have a chart with data divided by week/day and you want to aggregate data by week, is it correct?

if this is your requirement, you can extract the week number and use it for charting:

index="" host= sourcetype=csv [search index="" host= sourcetype=csv source=C:\\CW28_2.csv | dedup source | table source | sort - source | head 1 ] 
| where iswSD >= strftime(relative_time(now(), "-3w@w"),"%Y-%m-%d")
| eval Week_Number=strftime(strptime(iswSD,"%Y-%m-%d"),"%V")
| eval ISWGT=if(iswSD>pverSF, 1,0)
| eval ISWLE=if(iswSD<=pverSF, 1,0)
| eval non_mapped=case(match(pverID, ""), "match")
| chart sum(ISWGT), sum(ISWLE), count(non_mapped) as "Non Mapped" by Week_Number

Ciao.

Giuseppe

0 Karma
Reply

KalebeRS
Explorer
‎07-18-2023 07:23 AM

Not exactly, I just need to rearenge the values by week day into smaller groups, like in the screenshot. Still showing the values by week dividing by day, but in a compact form.

KalebeRS_0-1689690185875.png

 

 

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-18-2023 07:28 AM

Hi @KalebeRS,

it's possible if you have only one valye in the chart command,

otherwise, it runs, but it isn't so readable.

please try this:

index="" host= sourcetype=csv [search index="" host= sourcetype=csv source=C:\\CW28_2.csv | dedup source | table source | sort - source | head 1 ] 
| table iswID, iswTitle, iswSD, pverID, pverSF
| where iswSD >= strftime(relative_time(now(), "-3w@w"),"%Y-%m-%d")
| eval Week_Number=strftime(strptime(iswSD,"%Y-%m-%d"),"%V")
| eval Week_Number_Day=strftime(strptime(iswSD,"%Y-%m-%d"),"%V %A")
| eval ISWGT=if(iswSD>pverSF, 1,0)
| eval ISWLE=if(iswSD<=pverSF, 1,0)
| eval non_mapped=case(match(pverID, ""), "match")
| chart sum(ISWGT), sum(ISWLE), count(non_mapped) as "Non Mapped" OVER  Week_Number_Day BY Week_Number

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...