Splunk Search

Why is time chart with span of 1w always Thursday to Thursday?

mumblingsages
Path Finder

Title pretty much says it all. Every time I go to run a time chart with a span of 1 week it runs from Thursday to Thursday. Is there a specific reason for this? I have a work around for it in most situations (one exception right now being counts by event types), but my gosh its annoying.

Is there a setting somewhere to control this behavior?

0 Karma
1 Solution

woodcock
Esteemed Legend

One of these 2 links should give you what you need:
https://answers.splunk.com/answers/5350/possible-to-redefine-w-to-start-on-different-day.html
https://answers.splunk.com/answers/208499/how-to-group-events-per-weeknumber.html

In your case, I think all that you need to do is add the correct w# value to your span=1w (e.g. span=1w@w0 ); see what this does when run for Last 7 days:

index=_*
| multireport [
| bin span=1w@w0 _time
| eval DATASET="w0"
| stats count BY _time DATASET
][
| bin span=1w@w3 _time
| eval DATASET="w1"
| stats count BY _time DATASET
]

View solution in original post

woodcock
Esteemed Legend

Try it again tomorrow!

0 Karma

woodcock
Esteemed Legend

One of these 2 links should give you what you need:
https://answers.splunk.com/answers/5350/possible-to-redefine-w-to-start-on-different-day.html
https://answers.splunk.com/answers/208499/how-to-group-events-per-weeknumber.html

In your case, I think all that you need to do is add the correct w# value to your span=1w (e.g. span=1w@w0 ); see what this does when run for Last 7 days:

index=_*
| multireport [
| bin span=1w@w0 _time
| eval DATASET="w0"
| stats count BY _time DATASET
][
| bin span=1w@w3 _time
| eval DATASET="w1"
| stats count BY _time DATASET
]

DalJeanis
SplunkTrust
SplunkTrust

TL:DR;

...or you could do this to also start on a Sunday. (use "@w1" for Monday, "@w2" for Tuesday etc)

 | eval _time = relative_time(_time,"@w")

That's somewhat inconsistent, relative to the "@w" convention.

First, in a normal search, bin appears to use info_min_time to determine what day of the week is the first. That factor seems to affect even searches based on gentimes.

However, if you append something else, the bin for the something else is not necessarily the same, even if the _bin appears in the search after the various appends have occurred.

Second, because the first day in the universe (1/1/1970) was a Thursday, this formula will always become a Thursday. That appears to affect certain kinds of created data.

  | eval _time=604800*floor(_time/604800)

If you want a different day, then do this, where 4 is the number of days earlier in the week you want to move. Four days before Thursday is Sunday, so this will bin the weeks starting on Sunday.

 | eval _time = -4*86400+604800*floor((_time+4*86400)/604800)

...or you could do this to also start on a Sunday. (use "@w1" for Monday, "@w2" for Tuesday etc)

 | eval _time = relative_time(_time,"@w")

... and here's a run-anywhere snippet that you can play with to check what works and what doesn't...

| gentimes start=05/31/16 end=8/1/16 
| eval _time =starttime
| eval time1=strftime(_time,"%Y-%m-%d %a")
| eval time2=strftime(relative_time(_time,"@w"),"%Y-%m-%d %a") 
| bin _time span=1w as time3
| eval time3=strftime(time3,"%Y-%m-%d %a")
| eval _time = -4*86400+604800*floor((_time+4*86400)/604800) 
| stats values(time1) as time1 values(time2) as time2 values(time3) as time3 count by _time 
| eval showtime=strftime(_time,"%Y-%m-%d %a")|
0 Karma

mumblingsages
Path Finder

Thanks both of you. I had been doing the eval relative time thing. But strangely enough , timechart with a span=1w@w0 is now giving me exactly what I wanted. I swear I've tried this before an it never worked but now is...

woodcock
Esteemed Legend

OK, so come back here and either post your own answer or click Accept on an existing one to close the question. Maybe UpVote around, too.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...