Splunk Search
Highlighted

Why is time chart with span of 1w always Thursday to Thursday?

Path Finder

Title pretty much says it all. Every time I go to run a time chart with a span of 1 week it runs from Thursday to Thursday. Is there a specific reason for this? I have a work around for it in most situations (one exception right now being counts by event types), but my gosh its annoying.

Is there a setting somewhere to control this behavior?

0 Karma
Highlighted

Re: Why is time chart with span of 1w always Thursday to Thursday?

SplunkTrust
SplunkTrust

TL:DR;

...or you could do this to also start on a Sunday. (use "@w1" for Monday, "@w2" for Tuesday etc)

 | eval _time = relative_time(_time,"@w")

That's somewhat inconsistent, relative to the "@w" convention.

First, in a normal search, bin appears to use infomintime to determine what day of the week is the first. That factor seems to affect even searches based on gentimes.

However, if you append something else, the bin for the something else is not necessarily the same, even if the _bin appears in the search after the various appends have occurred.

Second, because the first day in the universe (1/1/1970) was a Thursday, this formula will always become a Thursday. That appears to affect certain kinds of created data.

  | eval _time=604800*floor(_time/604800)

If you want a different day, then do this, where 4 is the number of days earlier in the week you want to move. Four days before Thursday is Sunday, so this will bin the weeks starting on Sunday.

 | eval _time = -4*86400+604800*floor((_time+4*86400)/604800)

...or you could do this to also start on a Sunday. (use "@w1" for Monday, "@w2" for Tuesday etc)

 | eval _time = relative_time(_time,"@w")

... and here's a run-anywhere snippet that you can play with to check what works and what doesn't...

| gentimes start=05/31/16 end=8/1/16 
| eval _time =starttime
| eval time1=strftime(_time,"%Y-%m-%d %a")
| eval time2=strftime(relative_time(_time,"@w"),"%Y-%m-%d %a") 
| bin _time span=1w as time3
| eval time3=strftime(time3,"%Y-%m-%d %a")
| eval _time = -4*86400+604800*floor((_time+4*86400)/604800) 
| stats values(time1) as time1 values(time2) as time2 values(time3) as time3 count by _time 
| eval showtime=strftime(_time,"%Y-%m-%d %a")|
0 Karma
Highlighted

Re: Why is time chart with span of 1w always Thursday to Thursday?

Path Finder

Thanks both of you. I had been doing the eval relative time thing. But strangely enough , timechart with a span=1w@w0 is now giving me exactly what I wanted. I swear I've tried this before an it never worked but now is...

Highlighted

Re: Why is time chart with span of 1w always Thursday to Thursday?

Esteemed Legend

OK, so come back here and either post your own answer or click Accept on an existing one to close the question. Maybe UpVote around, too.

0 Karma
Highlighted

Re: Why is time chart with span of 1w always Thursday to Thursday?

Esteemed Legend

One of these 2 links should give you what you need:
https://answers.splunk.com/answers/5350/possible-to-redefine-w-to-start-on-different-day.html
https://answers.splunk.com/answers/208499/how-to-group-events-per-weeknumber.html

In your case, I think all that you need to do is add the correct w# value to your span=1w (e.g. span=1w@w0 ); see what this does when run for Last 7 days:

index=_*
| multireport [
| bin span=1w@w0 _time
| eval DATASET="w0"
| stats count BY _time DATASET
][
| bin span=1w@w3 _time
| eval DATASET="w1"
| stats count BY _time DATASET
]

View solution in original post

0 Karma
Highlighted

Re: Why is time chart with span of 1w always Thursday to Thursday?

Esteemed Legend

Try it again tomorrow!

0 Karma