Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Detect Start-of-Week & Weekly aggregations

anirbandasdeb
Path Finder
‎07-24-2018 01:02 AM

Hello splunkers,

We have to calculate some KPIs, on time-series data, aggregated by multiple factors, with time being the most important one.
The most common time aggregations for us are monthly and weekly.

Scenario: Calculate the weekly trend of a KPI for the month of May 2018 [ref image attached]

alt text

How one would normally do it would be [assume week start on Sunday]:
Week Date
1: 1 - 5
2: 6 - 12
3: 13 - 19
4: 20 - 26
5: 27 - 31

Thus there will be 5 data points.

How do I implement this in Splunk?

The way I figured out to do it now is use "bin span=1w _time", but it does not detect the week start.
However, this approach plainly takes 7 days from the 1st of the month and the result is that we have skewed weeks leading to misleading KPI values.

Tags (1)
Preview file
13 KB
0 Karma
Reply

anirbandasdeb
Path Finder
‎07-24-2018 08:25 PM

One way I figured out how to do this is using: 

| eval Week = strftime(strptime(_time, "%Y-%m-%d %H:%M:%S.%N"), "%V")

strptime converts the _time [formatted in "%Y-%m-%d %H:%M:%S.%N"] to Unix epoch time. Then strftime extracts the week of year from the epoch time using "%V"

The variable %V is not mentioned in the documentation.

However, how do I declare custom weeks, if the business requirements are as such?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...