Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to group daily results by week more close together?

KalebeRS
Explorer
‎07-18-2023 06:59 AM

Hello,

I have this search for a chart that counts values weekly and divides then by day of the week.

Is there any option that I can do to show this graph a little more compact grouping the results daily in showing just the week like the screenshots examples?

 

KalebeRS_0-1689688738990.png

 

 

 

 

 

 

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-18-2023 07:08 AM

Hi @KalebeRS ,

let me understand: you have a chart with data divided by week/day and you want to aggregate data by week, is it correct?

if this is your requirement, you can extract the week number and use it for charting:

index="" host= sourcetype=csv [search index="" host= sourcetype=csv source=C:\\CW28_2.csv | dedup source | table source | sort - source | head 1 ] 
| where iswSD >= strftime(relative_time(now(), "-3w@w"),"%Y-%m-%d")
| eval Week_Number=strftime(strptime(iswSD,"%Y-%m-%d"),"%V")
| eval ISWGT=if(iswSD>pverSF, 1,0)
| eval ISWLE=if(iswSD<=pverSF, 1,0)
| eval non_mapped=case(match(pverID, ""), "match")
| chart sum(ISWGT), sum(ISWLE), count(non_mapped) as "Non Mapped" by Week_Number

Ciao.

Giuseppe

0 Karma
Reply

KalebeRS
Explorer
‎07-18-2023 07:23 AM

Not exactly, I just need to rearenge the values by week day into smaller groups, like in the screenshot. Still showing the values by week dividing by day, but in a compact form.

KalebeRS_0-1689690185875.png

 

 

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-18-2023 07:28 AM

Hi @KalebeRS,

it's possible if you have only one valye in the chart command,

otherwise, it runs, but it isn't so readable.

please try this:

index="" host= sourcetype=csv [search index="" host= sourcetype=csv source=C:\\CW28_2.csv | dedup source | table source | sort - source | head 1 ] 
| table iswID, iswTitle, iswSD, pverID, pverSF
| where iswSD >= strftime(relative_time(now(), "-3w@w"),"%Y-%m-%d")
| eval Week_Number=strftime(strptime(iswSD,"%Y-%m-%d"),"%V")
| eval Week_Number_Day=strftime(strptime(iswSD,"%Y-%m-%d"),"%V %A")
| eval ISWGT=if(iswSD>pverSF, 1,0)
| eval ISWLE=if(iswSD<=pverSF, 1,0)
| eval non_mapped=case(match(pverID, ""), "match")
| chart sum(ISWGT), sum(ISWLE), count(non_mapped) as "Non Mapped" OVER  Week_Number_Day BY Week_Number

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...