Solved: Re: How to snap span with bucket

aarcro · ‎05-29-2012

So I want use bucket to group my data by weeks that start on Mondays if I change my query to use earliest=-1w@w1 latest=@w1 Then bucket span=week does the right thing. But I'm going to be running a daily (or hourly) summary index, that I want to bucket by weeks including the current week in progress.

Index:

sourcetype="source" | bucket _time span=day | stats count by severity, customer, _time

Search that works for daily counts

search severity > 9 customer="name" | eval Day=strftime(_time, "%Y-%m-%d")|  eval n="count" | xyseries Day, n, count

I need a search that works for weekly counts snapped to mondays.

lguinn2 · ‎05-30-2012

How does this work for you?

search severity > 9 customer="name" | 
eval Week=relative_time(_time, "@w1") |  
eval n="count" | 
xyseries Week, n, count

View solution in original post

lguinn2 · ‎05-30-2012

How does this work for you?

search severity > 9 customer="name" | 
eval Week=relative_time(_time, "@w1") |  
eval n="count" | 
xyseries Week, n, count

lguinn2 · ‎05-31-2012

search severity > 9 customer="name" |
eval Week=relative_time(_time, "@w1") |

stats count by severity customer Week |
eval n="count" |
xyseries Week, n, count

though I am unclear on why you want count by severity and customer as well as by week...

aarcro · ‎05-30-2012

Actually need to run through stats again to sum(count) by Week

aarcro · ‎05-30-2012

relative_time() - Works perfect! Thanks.

How to snap span with bucket

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?