Splunk Search

My weekly timespan shows bins that are more than week boundaries

tambepc
New Member

I have set up an accelerated summary for a report with summary range of 1 month. I want to report summary by week. When I run a search with "timechart bins=4 span=1week...", I get 4 to 5 bins: one per week. But then I also get some other bins with days in addition to weekly bins in my search results. I don't want to get individual days that are outside the week boundaries. I never want to see data summarized by any granularity lower than a week. Do I need to change my acceleration setup or my timechart command in the search?

Splunk doc says to let them figure out the correct timespan. But I feel that they are summarizing at too low of a granular level (10min, 1hr). Regardless, I want the timechart command to show correct results with proper weekly bins.

What is wrong here?

Here is how my summary detail looks:


Details Learn more.
Summarization Load 0.0000
Access Count 0 Last Access: Never
Size on Disk 7.83MB
Summary Range 30 days
Timespans 10min, 1d, 1h, 1mon
Buckets 506
Chunks 1002

Tags (1)
0 Karma
1 Solution

woodcock
Esteemed Legend

Do the bucketing yourself, like this, just before your timechart command:

... |  eval _time = case((tonumber(strftime(_time, "%d")) <= 7),  "1",
                         (tonumber(strftime(_time, "%d")) <= 14), "2",
                         (tonumber(strftime(_time, "%d")) <= 21), "3",
                         (tonumber(strftime(_time, "%d")) <= 28), "4",
                                                          true(), "5")

View solution in original post

0 Karma

woodcock
Esteemed Legend

Do the bucketing yourself, like this, just before your timechart command:

... |  eval _time = case((tonumber(strftime(_time, "%d")) <= 7),  "1",
                         (tonumber(strftime(_time, "%d")) <= 14), "2",
                         (tonumber(strftime(_time, "%d")) <= 21), "3",
                         (tonumber(strftime(_time, "%d")) <= 28), "4",
                                                          true(), "5")
0 Karma

tambepc
New Member

Thank you @woodcock. This worked. I further modified it as follows to snap _time to the beginning of the week (Sunday):

| eval _time = strftime(relative_time(_time, "-0w@w"),"%Y-%m-%d")
| stats count as events by _time

Although, I am somewhat disappointed that timechart is not working as expected with its "span" and "bins" options. Anyway, thank you very much for your help!!

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Do post the entire search you're running, over what time range, and what results you're getting in the statistics tab.

0 Karma
Get Updates on the Splunk Community!

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...