Hi,
my managers posted a request for data.
they want to see weekly comparison over the course of a month.
the catch is that if the 1st of a month starts on a Tuesday, they want to see the data from Sunday, which is the last 2 days of the previous month.
again, if the 1st starts at Thursday, they want to see data from Sunday etc etc.
i wanted to know if there is a way to specify an earliest & latest values dynamically by weeks.
e.g - earliest=-1month@month
and snap to Sunday, latest=-1month@month
and snap to Saturday, and to change those values for each week
i know that there's an app for that called Timewrap, but installing it is complicated so i'm trying to get a workaround using the search.
Thank you!
to snap the earliest to the first day of the week of the previous month (even if it falls in another month) use earliest=-1mon@mon@w
or earliest=@mon@w
if you just are looking at current month.
from there to get week over week, you can use |bucket _time span=7d
Hi @naty - What version of Splunk are you using? Because as of 6.5.0, Splunk added the timewrap command so you wouldn't have to install the Timewrap add-on.
Hi @aaraneta - about the Timewrap, i saw that it shows a weekly basis based on 7 days.
for example, for November i will see a line representing the 24th-30th, another for 17th-23rd and so on until the start of the month.
that is because November ended on Thursday, so it takes a week as Thursday till Thursday.
but i have a question about it since it's not very well documented - the Timewrap will show a weekly basis, but according to my example above for November, the last week i will see is 3rd-9th of November, i still wish to see the 1st & 2nd.
is it showing that to me?
if not, how can i see them on the weekly basis graph?
is there a way to do the timewrap without manipulating the _time so i could see the times for every week?
Hi @naty - I'm sorry, I'm not an expert on timewrap so unfortunately I wouldn't be able to help you much. But you may have some luck by joining our public Slack chat!
There are 1300+ Splunk users in our public Slack chat. People ask each other for immediate help on there daily. You can share this follow-up question/link to your post there to see if anyone can take a stab at it.
You first have to request access through www.splunk402.com/chat. Fill out the form, and once you receive the approval email, you can access Slack.com and ask for help in the #general channel.
Hi,
You saved me!!
we actually just upgraded to 6.5.1 last week 😄
i tried the timewrap now and it workd perfectly!!!
to snap the earliest to the first day of the week of the previous month (even if it falls in another month) use earliest=-1mon@mon@w
or earliest=@mon@w
if you just are looking at current month.
from there to get week over week, you can use |bucket _time span=7d
Thank you!
i understood that i can use the Timewrap app using 6.5.
luckily for me, we just upgraded to 6.5.1 last week 😄
but this should work too, thank you!!! (didn't know you could do -1mon@mon@w, thought you could only do 1-mon@mon and that's it 🙂 )
Hi @cmerriman,
i have tested your answer.
the span=7d is not good since i want to see span=1h and compare an hourly span of every week of the month.
let's say that for November, i would like to do a search to get an hourly span from: October 30th - November 5th, November 6th - November 12th, November 13th - November 19th, November 20th - November 26th, November 27th - December 3rd.
notice that i took the previous month, but i need the start of the month and then snap to the start of the week.
you gave me an answer for that with earliest=-1mon@mon@w which was excellent, but how do do the latest to snap to the end of that week?
also, do you know how to specify the earliest & latest for each week?
Thank you!
maybe try something like
...|eval weekBegin=strftime(relative_time(_time,"@w"),"%D")|eval weekEnd=strftime(relative_time(_time,"@w6"),"%D")|eval week=weekBegin+" - "+weekEnd|timechart span=1h count by week
or whatever stats command you needed
Doesn't -1mon@w
do exactly what you want? Go back one month, then to the start of that week.
Hi, thank you for the reply!
correct me if i'm wrong, but i think it will do something else.
for example - if i'm on the 25th of June and i go -1mon@w, then i'll go to the 25th of May and the start of that week..
Right, sorry - @mon@w
does it, I was going back one month further than needed.