- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- timewrap bug + last N Fridays
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If i want to see the last N fridays I would do a search like below:
index=core eventtype="Device_Usage" psThrputMbps DeviceName=Device1 earliest=-20d@d latest=+d@d | timechart span=15m avg(psThrputMbps) by DeviceName | eval wday = strftime(_time, "%a") | where wday = "Fri" | fields - wday | timewrap d series=exact
However I am noticing a bug, it seems to be to do it when you want the friday values from the previous month.
Bug explained:
I got the above search to work for me, but it has a bug in that it is is showing 4 values for Apr2nd (11.00,11.15,11.30,11.45). Apr2nd was a thursday. It is also missing the last 4 values for Apr3rd (11.00,11.15,11.30,11.45).
So it is showing Apr17th, Apr10th, and Apr3rd (all fridays) in the legend, but as I mention above it has a bug, it is showing Apr2nd values with 4 values and these are the 4 values missing from Apr3rd.
Not sure if this is data coruption for them specific dates or something else? I don't think this is the case as have tried this with different weekdays and it persists.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DST was the issue as mentioned above.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just a thought, but this might be something to do with the DST overlap given the 1 hour moving back.
If you restrict to your search to after the 5th of April, do you still see the issue?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tks for that, I was slowly coming to that conclusion my self but you have helped me confirm it, although I am not exactly sure how it is happening?
Anyhow I will accept this and check it next month to see if it still occurs. tks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I just removed this from my search earliest=-20d@d latest=+d@d and used the date selector to only look at march and it worked perfectly. So this further confirms. I will further confirm it next month.
Would still like to understand how the DST makes this bug? oh well...
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
