- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- My weekly timespan shows bins that are more than w...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have set up an accelerated summary for a report with summary range of 1 month. I want to report summary by week. When I run a search with "timechart bins=4 span=1week...", I get 4 to 5 bins: one per week. But then I also get some other bins with days in addition to weekly bins in my search results. I don't want to get individual days that are outside the week boundaries. I never want to see data summarized by any granularity lower than a week. Do I need to change my acceleration setup or my timechart command in the search?
Splunk doc says to let them figure out the correct timespan. But I feel that they are summarizing at too low of a granular level (10min, 1hr). Regardless, I want the timechart command to show correct results with proper weekly bins.
What is wrong here?
Here is how my summary detail looks:
Details Learn more.
Summarization Load 0.0000
Access Count 0 Last Access: Never
Size on Disk 7.83MB
Summary Range 30 days
Timespans 10min, 1d, 1h, 1mon
Buckets 506
Chunks 1002
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do the bucketing yourself, like this, just before your timechart command:
... | eval _time = case((tonumber(strftime(_time, "%d")) <= 7), "1",
(tonumber(strftime(_time, "%d")) <= 14), "2",
(tonumber(strftime(_time, "%d")) <= 21), "3",
(tonumber(strftime(_time, "%d")) <= 28), "4",
true(), "5")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do the bucketing yourself, like this, just before your timechart command:
... | eval _time = case((tonumber(strftime(_time, "%d")) <= 7), "1",
(tonumber(strftime(_time, "%d")) <= 14), "2",
(tonumber(strftime(_time, "%d")) <= 21), "3",
(tonumber(strftime(_time, "%d")) <= 28), "4",
true(), "5")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you @woodcock. This worked. I further modified it as follows to snap _time to the beginning of the week (Sunday):
| eval _time = strftime(relative_time(_time, "-0w@w"),"%Y-%m-%d")
| stats count as events by _time
Although, I am somewhat disappointed that timechart is not working as expected with its "span" and "bins" options. Anyway, thank you very much for your help!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do post the entire search you're running, over what time range, and what results you're getting in the statistics tab.
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
