Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Column Chart over repeating day ranges- Is it possible to do a sum on "grouped days"

mjon395
Explorer
‎04-15-2022 07:27 AM

Hello,

I've been trying a few different ways, with no luck, to represent some server counts that I see happening on Thursday, Friday, Saturday, Sunday, Monday(sometimes).

Unfortunately, it seems like I can't do this count "per week" as we need to count per the last "scan time" which will start thursday and end on the latest Monday.

I started looking into my possible options, and think I have half an idea of how to accomplish it, but if there's better ideas then that would be awesome as well.

Is it possible to do a sum based on "grouped days") Thurs+Fri+Sat+Sun+Mon, or dayofweek 4,5,6,0,1?  The main thing I can't get over is how to differentiate the "grouped days"?  We like to evaluate based on the "current week" of the year, but this would bring our "grouped days" to persisting through multiple "current weeks" of the year (this is variable 'weekofyear').

Essentially, I need to count weekofyear where the output would be like:

Department Week of Year (technically, this is our "scan cycle") Server Count (Server_Responses)
Dept.A 10 (this would be combined between Thurs,Fri,Sat,Sun,Mon...) 100 (ie; we saw 3 thurs, 90 fri, 3 sat, 3 sun, 1 mon...)
Dept.B 10 200
Dept.A 11 105 (ie; we saw 10 thurs, 80 fri, 10 sat, 3 sun, 2 mon...)
Dept.B 11 203


I haven't really gotten any further than just evaluating date commands to evaluate my options.  Other than that, I just have a line chart indicating a day of week over the counts... It's not very pretty.

g6utOko

index blah sourcetype blah search blah 
```what i have been looking at so far...```
| rename server_id as "Server_Responses"
```at this point I was just looking at the possibilities to count by an aggregated "day of week in number" or by "dayofweek(short|full)", and real all possibilities```
| eval dayofweekshort=strftime(_time,"%a")
| timechart count(ping.status) as pingstats, dc("Server_Responses") by Department span=1w@1w
```Start evaluating possible days, weeks, months, current weeks, etc```
| eval dayofweekshort=strftime(_time,"%a") | eval dayofweekfull=strftime(_time,"%A") | eval dayofweekasnumber=strftime(_time,"%w")
| eval dayofmonth=strftime(_time,"%d")
| eval weekofmonth=floor(dayofmonth/7)+1
| eval weekofyear=strftime(_time,"%U")
| fields - day

 

Labels (2)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-15-2022 11:00 AM

Recalculate day of the week and week of the year by adding 3 days to make Thursday the start of the week, then filter out days which are not wanted.

| gentimes start=-120 increment=1h
| rename starttime as _time 
| eval server_responses=random()%100
| eval department="Server ".mvindex(split("ABC",""),random()%3)
| eval dayoftheweek=strftime(_time,"%a")
| eval dayofweekasnumber=strftime(relative_time(_time,"+3d"),"%w")
| eval weekofyear=strftime(relative_time(_time,"+3d"),"%U")
| eval grouped=if(dayofweekasnumber<5,1,null())
| stats sum(server_responses) as server_responses by weekofyear grouped department
0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...