My current search below pulls findings for current day and year-to-date starting 2/1/2021. I need help with a way to pull for the previous business week and year-to-date starting 2/1/2021. What adjustments can i make to the search below that will pull that?
index=overwatch-summary overwatch-vuln-type="*"
| where _time>strptime("2021/02/01 00:00:00","%Y/%m/%d %H:%M:%S")
| eval _time=if(_time < now()-86400, now()-86400, now())
| rex field=resource_id "subscriptions/(?<subscriptionId>[0-9a-fA-F\-]+)"
| lookup subscription_managed.csv subscriptionId OUTPUT managed
| fillnull value="Unmanaged" managed
| search managed=Unmanaged
| fillnull value="" blob_name
| eval unique_id=if(isnotnull(unique_id),unique_id,sha256('overwatch-vuln-type' . "_" . resource_id . "_" . issue . blob_name))| chart dc(unique_id) as count over _time| bin _time span=1d
| append
[ stats c
| eval _time=now()
| eval count=0
| bin _time span=1d
| fields _time count ]
| stats sum(count) as count by _time
Previous business week you can get with "snap to" on the relative_time command, so this will calculate the start and end range of week starting on Monday and ending Sunday
| eval start_week=relative_time(now(), "-w@w1"), end_week=start_week+(86400 * 7)
Note that your use of
| where _time>strptime("2021/02/01 00:00:00","%Y/%m/%d %H:%M:%S")
seems unnecessary, as you can either set that date range from your search time window or just as
earliest="02/01/2021 00:00:00"
on the search line.