Splunk Search

How to group daily results by week more close together?

KalebeRS
Explorer

Hello,

I have this search for a chart that counts values weekly and divides then by day of the week.

Is there any option that I can do to show this graph a little more compact grouping the results daily in showing just the week like the screenshots examples?

 

KalebeRS_0-1689688738990.png

 

 

 

 

 

 

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @KalebeRS ,

let me understand: you have a chart with data divided by week/day and you want to aggregate data by week, is it correct?

if this is your requirement, you can extract the week number and use it for charting:

index="" host= sourcetype=csv [search index="" host= sourcetype=csv source=C:\\CW28_2.csv | dedup source | table source | sort - source | head 1 ] 
| where iswSD >= strftime(relative_time(now(), "-3w@w"),"%Y-%m-%d")
| eval Week_Number=strftime(strptime(iswSD,"%Y-%m-%d"),"%V")
| eval ISWGT=if(iswSD>pverSF, 1,0)
| eval ISWLE=if(iswSD<=pverSF, 1,0)
| eval non_mapped=case(match(pverID, ""), "match")
| chart sum(ISWGT), sum(ISWLE), count(non_mapped) as "Non Mapped" by Week_Number

Ciao.

Giuseppe

0 Karma

KalebeRS
Explorer

Not exactly, I just need to rearenge the values by week day into smaller groups, like in the screenshot. Still showing the values by week dividing by day, but in a compact form.

KalebeRS_0-1689690185875.png

 

 

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @KalebeRS,

it's possible if you have only one valye in the chart command,

otherwise, it runs, but it isn't so readable.

please try this:

index="" host= sourcetype=csv [search index="" host= sourcetype=csv source=C:\\CW28_2.csv | dedup source | table source | sort - source | head 1 ] 
| table iswID, iswTitle, iswSD, pverID, pverSF
| where iswSD >= strftime(relative_time(now(), "-3w@w"),"%Y-%m-%d")
| eval Week_Number=strftime(strptime(iswSD,"%Y-%m-%d"),"%V")
| eval Week_Number_Day=strftime(strptime(iswSD,"%Y-%m-%d"),"%V %A")
| eval ISWGT=if(iswSD>pverSF, 1,0)
| eval ISWLE=if(iswSD<=pverSF, 1,0)
| eval non_mapped=case(match(pverID, ""), "match")
| chart sum(ISWGT), sum(ISWLE), count(non_mapped) as "Non Mapped" OVER  Week_Number_Day BY Week_Number

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...