Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to get data from starting day of this week till today and starting day of last week till same day in last week

nagas
Explorer
‎07-20-2020 02:13 AM

Hi All,
how to get data from starting day of this week till today and starting day of last week till same day in last week
example: I have data like:
Date, Transaction_count=100
Date, Transaction_count=120

for 07/02/2020 (mm/dd/yyyy) i want sum of transaction_count from 06/28/2020  to 07/02/2020 and also 
sum of transaction_count from 06/21/2020 to 06/25/2020

@All, Please help. Appreciate quick response.

 @niketn  @lspringer  @carasso 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎07-20-2020 07:10 AM

@nagas as per your question if you want the stats last week till day of the week (same as today's day that week) and also current week till today's day, you can try and adjust the following run anywhere example as per your needs:

index=_internal sourcetype=splunkd log_level!=INFO earliest="-1w@w0" latest=now
| eval window=case(_time>=relative_time(now(),"-1w@w0") AND _time<=relative_time(now(),"-1w@s"),"Last Week",
_time>=relative_time(now(),"-0w@w0") AND _time<=relative_time(now(),"-0w@s"),"Current Week") 
| stats sum(date_hour) as Transaction_count min(_time) as EarliestEventTime max(_time) as LatestEventTime by window
| fieldformat EarliestEventTime=strftime(EarliestEventTime,"%Y/%m/%d %H:%M:%S")
| fieldformat LatestEventTime=strftime(LatestEventTime,"%Y/%m/%d %H:%M:%S")

If you need to do such comparison based on selected date in the past week, you may need to pass the epoch time as token to the SPL above and replace now() with that date. Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Reply
Solved! Jump to solution
Solution

niketn
Legend
‎07-20-2020 07:10 AM

@nagas as per your question if you want the stats last week till day of the week (same as today's day that week) and also current week till today's day, you can try and adjust the following run anywhere example as per your needs:

index=_internal sourcetype=splunkd log_level!=INFO earliest="-1w@w0" latest=now
| eval window=case(_time>=relative_time(now(),"-1w@w0") AND _time<=relative_time(now(),"-1w@s"),"Last Week",
_time>=relative_time(now(),"-0w@w0") AND _time<=relative_time(now(),"-0w@s"),"Current Week") 
| stats sum(date_hour) as Transaction_count min(_time) as EarliestEventTime max(_time) as LatestEventTime by window
| fieldformat EarliestEventTime=strftime(EarliestEventTime,"%Y/%m/%d %H:%M:%S")
| fieldformat LatestEventTime=strftime(LatestEventTime,"%Y/%m/%d %H:%M:%S")

If you need to do such comparison based on selected date in the past week, you may need to pass the epoch time as token to the SPL above and replace now() with that date. Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

nagas
Explorer
‎07-21-2020 01:16 AM

@niketn 
Thank you.
It worked for me with few changes as you suggested.

Reply
Solved! Jump to solution

anmolpatel
Builder
‎07-20-2020 02:31 AM

@nagas you need to make use of the bin command and the chart command. 
Alternatively you can look at the timechart command

Here is an example, based on what you've posted.

 

| makeresults
| eval _raw="time, event, value
20/07/2020 09:00:00, order_one, 100
19/07/2020 09:00:00, order_two, 10
15/07/2020 09:00:00, order_three, 11
12/07/2020 09:00:00, order_four, 30
10/07/2020 09:00:00, order_five, 800
09/07/2020 09:00:00, order_six, 500
07/07/2020 09:00:00, order_seven, 40
06/07/2020 09:00:00, order_eight, 20
03/07/2020 09:00:00, order_nine, 12
01/07/2020 09:00:00, order_ten, 1000"
| multikv forceheader=1
| eval value = ltrim(value)
| eval _time = strptime(time, "%d/%m/%Y %H:%M:%S")
| bin _time span=1w@w
| chart sum(value) by _time
0 Karma
Reply
Solved! Jump to solution

nagas
Explorer
‎07-20-2020 02:49 AM

@anmolpatel 
My issue is:

I need data from starting day of this week till today and starting day of last week till same day in last week
EX:
if today is wednesday,
I need count from sunday to wednesday of this week
and also 
count  from sunday to wednesday of last week 
so that i can do a comparison

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...