First, thank you for including data emulation in the question. There are two aspects that Splunk chooses to address separately. First is calendar time anchor. (I think Splunk calls this "snap-to"; ...
See more...
First, thank you for including data emulation in the question. There are two aspects that Splunk chooses to address separately. First is calendar time anchor. (I think Splunk calls this "snap-to"; see Date and time format variables.) If you use @w with the span attribute, timechart will snap to beginning of the week, which is deemed to be start of Sunday on CE calendar, whichever timezone the search head uses. For example, using your emulation with | timechart span=1w@w first(MathGrade) by Student useother=f limit=0 gives _time Student1 Student2 2024-02-04 10 9 2024-02-11 6 8 2024-02-18 10 9 2024-02-25 7 6 Now, your ask is to begin a week on an arbitrary day. Given timechart doesn't support this, the hack is to shift time back and forth. For example, 02/09/2024 is a Friday, or day 5 in Splunk's dow count. | eval _time = relative_time(_time, "-5d@d")
| timechart span=1w@w first(MathGrade) by Student useother=f limit=0
| eval _time = relative_time(_time, "+5d@d") Using the same emulation, the above gives _time Student1 Student2 2024-02-02 10 9 2024-02-09 8 6 2024-02-16 9 8 2024-02-23 5 9 Hope this helps.