Splunk Search

how to get data from starting day of this week till today and starting day of last week till same day in last week

Explorer

Hi All,
how to get data from starting day of this week till today and starting day of last week till same day in last week
example: I have data like:
Date, Transaction_count=100
Date, Transaction_count=120

for 07/02/2020 (mm/dd/yyyy) i want sum of transaction_count from 06/28/2020  to 07/02/2020 and also 
sum of transaction_count from 06/21/2020 to 06/25/2020

@All, Please help. Appreciate quick response.

 @niketnilay  @lspringer  @carasso 

Labels (1)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

@nagas as per your question if you want the stats last week till day of the week (same as today's day that week) and also current week till today's day, you can try and adjust the following run anywhere example as per your needs:

index=_internal sourcetype=splunkd log_level!=INFO earliest="-1w@w0" latest=now
| eval window=case(_time>=relative_time(now(),"-1w@w0") AND _time<=relative_time(now(),"-1w@s"),"Last Week",
_time>=relative_time(now(),"-0w@w0") AND _time<=relative_time(now(),"-0w@s"),"Current Week") 
| stats sum(date_hour) as Transaction_count min(_time) as EarliestEventTime max(_time) as LatestEventTime by window
| fieldformat EarliestEventTime=strftime(EarliestEventTime,"%Y/%m/%d %H:%M:%S")
| fieldformat LatestEventTime=strftime(LatestEventTime,"%Y/%m/%d %H:%M:%S")

If you need to do such comparison based on selected date in the past week, you may need to pass the epoch time as token to the SPL above and replace now() with that date. Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

SplunkTrust
SplunkTrust

@nagas as per your question if you want the stats last week till day of the week (same as today's day that week) and also current week till today's day, you can try and adjust the following run anywhere example as per your needs:

index=_internal sourcetype=splunkd log_level!=INFO earliest="-1w@w0" latest=now
| eval window=case(_time>=relative_time(now(),"-1w@w0") AND _time<=relative_time(now(),"-1w@s"),"Last Week",
_time>=relative_time(now(),"-0w@w0") AND _time<=relative_time(now(),"-0w@s"),"Current Week") 
| stats sum(date_hour) as Transaction_count min(_time) as EarliestEventTime max(_time) as LatestEventTime by window
| fieldformat EarliestEventTime=strftime(EarliestEventTime,"%Y/%m/%d %H:%M:%S")
| fieldformat LatestEventTime=strftime(LatestEventTime,"%Y/%m/%d %H:%M:%S")

If you need to do such comparison based on selected date in the past week, you may need to pass the epoch time as token to the SPL above and replace now() with that date. Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Explorer

@niketnilay 
Thank you.
It worked for me with few changes as you suggested.

Builder

@nagas you need to make use of the bin command and the chart command. 
Alternatively you can look at the timechart command

Here is an example, based on what you've posted.

 

| makeresults
| eval _raw="time, event, value
20/07/2020 09:00:00, order_one, 100
19/07/2020 09:00:00, order_two, 10
15/07/2020 09:00:00, order_three, 11
12/07/2020 09:00:00, order_four, 30
10/07/2020 09:00:00, order_five, 800
09/07/2020 09:00:00, order_six, 500
07/07/2020 09:00:00, order_seven, 40
06/07/2020 09:00:00, order_eight, 20
03/07/2020 09:00:00, order_nine, 12
01/07/2020 09:00:00, order_ten, 1000"
| multikv forceheader=1
| eval value = ltrim(value)
| eval _time = strptime(time, "%d/%m/%Y %H:%M:%S")
| bin _time span=1w@w
| chart sum(value) by _time
0 Karma

Explorer

@anmolpatel 
My issue is:

I need data from starting day of this week till today and starting day of last week till same day in last week
EX:
if today is wednesday,
I need count from sunday to wednesday of this week
and also 
count  from sunday to wednesday of last week 
so that i can do a comparison

Tags (1)
0 Karma