I tried different methods, but couldn't group events per week.
with span=1week, it seems to do a rotating 7 days.
Any way to define the weeknumber in splunk ?
I found a workaround for searches and dashboard is to manually extract them after the search using a strftime
… | eval weeknumber=strftime(_time,"%U") | stats count by weeknumber
To avoid confusions between years, I like to use the year, that help to sort them in chronological order.
… | eval dateyearweek=strftime(_time,"%Y-%U")| stats count by dateyearweek
Depending of your country, you have 2 variations :
It may have been "strftime(_time,"%U")" as yannK said.
But in the current Splunk version is the week number defined by "%V"
So, the code snippet should be:
| eval dateyearweek=strftime(_time,"%Y-%V")| stats count by dateyearweek
See Docs for more info. Best Regards!
I found a workaround for searches and dashboard is to manually extract them after the search using a strftime
… | eval weeknumber=strftime(_time,"%U") | stats count by weeknumber
To avoid confusions between years, I like to use the year, that help to sort them in chronological order.
… | eval dateyearweek=strftime(_time,"%Y-%U")| stats count by dateyearweek
Depending of your country, you have 2 variations :