Change the day from where the week starts in bucke...

tikoonikhil · ‎10-13-2016

I am running this query in splunk which aggregates and bucketizes the data on a weekly basis , based on the field "impact_start" and gives me the output. But the problem is that the start of the week in the output is Thursday rather than Monday.
Is there any way i can change the start of the week to Monday instead of Thursday?

search index=* impact=1 OR impact=2 product_line=* | eval time = round( strptime(impact_start,"%Y-%m-%d %H:%M:%S"), 0 )| where time >= 1473328728 AND time<=1476352728| bucket time span=7d | stats values(number) as incident_name by time

sundareshr · ‎10-13-2016

See if this works

search index=* impact=1 OR impact=2 product_line=* 
| eval time = round( strptime(impact_start,"%Y-%m-%d %H:%M:%S"), 0 ) 
| where time >= 1473328728 AND time<=1476352728 
| evenstats earliest(_time) as e
| eval time=if(e=_time AND _time>relative_time(_time, "-@w1"), mvrange(relative_time(_time, "-@w1"), _time), _time)
| mvexpand time
| fillnull number
| bucket time span=7d 
| stats values(number) as incident_name by time

davebrooking · ‎10-13-2016

I think this answer may point you in the right direction

Dave

Change the day from where the week starts in bucket.

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!