Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Summarize date per week

JandrevdM
Path Finder
‎08-27-2024 02:02 AM

Good day,

I have a query to summarize data per week. Is there a way to display my tables in a better way as my dates for the path month would just be the dates in number format? 

I would like to name the table Week 1, Week 2, Week 3 etc if possible.

index=db_it_network sourcetype=pan* url_domain="www.perplexity.ai" OR app=claude-base OR app=google-gemini* OR app=openai* OR app=bing-ai-base
| eval app=if(url_domain="www.perplexity.ai", url_domain, app)
| table user, app, _time
| stats count by user app _time
| chart count by app _time span=1w
| sort app 0


Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎08-27-2024 04:31 AM

1. Don't put the "table" command in that place.  It doesn't do anything useful and (in distributed setup) moves the processing to the SH layer effectively losing the advantage of parallel stats processing on indexers.

2. I can't quite grasp what's the point of that | stats | chart idea. First you count, then you count the counts.

3. There is a timechart command for time series.

4. The overal idea with eval is OK but I'd rather use fieldformat - this way you can freely sort based on actual underlying time data but present the data in a human-readable way.

0 Karma
Reply

JandrevdM
Path Finder
‎08-27-2024 05:27 AM

Hi @PickleRick 

Thanks for the support.

The reason for the | stats | chart is to distinct my data by user. If I do not do this then I get multiple entries per user for each url. This allows for a user to only hit one url per week and then count them. 

I will try the suggestion. I recently moved from kql to spl and will try and figure out the format for timechart and fieldformat.

Thank you!

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎08-27-2024 06:34 AM

Yup. That is one of ways to handle it. 🙂

 

0 Karma
Reply

JandrevdM
Path Finder
‎08-27-2024 03:17 AM 
index=db_it_network sourcetype=pan* url_domain="www.perplexity.ai" OR app=claude-base OR app=google-gemini* OR app=openai* OR app=bing-ai-base
| eval app=if(url_domain="www.perplexity.ai", url_domain, app)
| table user, app, _time
| eval week_num = "Week Number" . strftime(_time, "%U")
| stats count by user app week_num
| chart count by app week_num
| sort app 0
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...