Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to group daily results by week more close together?

KalebeRS
Explorer
‎07-18-2023 06:59 AM

Hello,

I have this search for a chart that counts values weekly and divides then by day of the week.

Is there any option that I can do to show this graph a little more compact grouping the results daily in showing just the week like the screenshots examples?

 

KalebeRS_0-1689688738990.png

 

 

 

 

 

 

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-18-2023 07:08 AM

Hi @KalebeRS ,

let me understand: you have a chart with data divided by week/day and you want to aggregate data by week, is it correct?

if this is your requirement, you can extract the week number and use it for charting:

index="" host= sourcetype=csv [search index="" host= sourcetype=csv source=C:\\CW28_2.csv | dedup source | table source | sort - source | head 1 ] 
| where iswSD >= strftime(relative_time(now(), "-3w@w"),"%Y-%m-%d")
| eval Week_Number=strftime(strptime(iswSD,"%Y-%m-%d"),"%V")
| eval ISWGT=if(iswSD>pverSF, 1,0)
| eval ISWLE=if(iswSD<=pverSF, 1,0)
| eval non_mapped=case(match(pverID, ""), "match")
| chart sum(ISWGT), sum(ISWLE), count(non_mapped) as "Non Mapped" by Week_Number

Ciao.

Giuseppe

0 Karma
Reply

KalebeRS
Explorer
‎07-18-2023 07:23 AM

Not exactly, I just need to rearenge the values by week day into smaller groups, like in the screenshot. Still showing the values by week dividing by day, but in a compact form.

KalebeRS_0-1689690185875.png

 

 

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-18-2023 07:28 AM

Hi @KalebeRS,

it's possible if you have only one valye in the chart command,

otherwise, it runs, but it isn't so readable.

please try this:

index="" host= sourcetype=csv [search index="" host= sourcetype=csv source=C:\\CW28_2.csv | dedup source | table source | sort - source | head 1 ] 
| table iswID, iswTitle, iswSD, pverID, pverSF
| where iswSD >= strftime(relative_time(now(), "-3w@w"),"%Y-%m-%d")
| eval Week_Number=strftime(strptime(iswSD,"%Y-%m-%d"),"%V")
| eval Week_Number_Day=strftime(strptime(iswSD,"%Y-%m-%d"),"%V %A")
| eval ISWGT=if(iswSD>pverSF, 1,0)
| eval ISWLE=if(iswSD<=pverSF, 1,0)
| eval non_mapped=case(match(pverID, ""), "match")
| chart sum(ISWGT), sum(ISWLE), count(non_mapped) as "Non Mapped" OVER  Week_Number_Day BY Week_Number

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI! Discover how Splunk’s agentic AI ...

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...