Splunk Search

How can you restrict timechart to display only weekdays?

Glenn
Builder

I know how to exclude certain days from your search results: http://splunk-base.splunk.com/answers/1367/how-do-you-exclude-certain-days-from-a-time-range

But if you then pipe these results through timechart, the time line covers all days, and you just have gaps where the weekdays fall.

We have this requirement as we need to report on daily averages over time, but the values on weekends are skewed as the number of samples drops significantly. It appears that there are spikes in the data which misleads the user.

Tags (2)
0 Karma

cvajs
Contributor

example (mon-fri)
index=cisco_esa (date_wday=monday OR date_wday=tuesday OR date_wday=wednesday OR date_wday=thursday OR date_wday=friday)

index=cisco_esa (date_wday!=saturday AND date_wday!=sunday)

example (sat and sun only)
index=cisco_esa (date_wday!=monday AND date_wday!=tuesday AND date_wday!=wednesday AND date_wday!=thursday AND date_wday!=friday)

index=cisco_esa (date_wday=saturday OR date_wday=sunday)

then pipe as needed.
see http://docs.splunk.com/Documentation/Splunk/4.3.1/User/UseDefaultAndInternalFields

cvajs
Contributor

then create separate charts (views) for only the timeframes that contain the successive days this way the chart(s) wont have breaks, etc. i dunno if you can tell stats timechart or chart to skip time.

0 Karma

Glenn
Builder

Hi, thanks for your attempt. But unfortunately (at least when I view it in the report builder) timechart does not behave as you believe in 4.3.1 - it draws a chart containing the entire time span, and the weekend days which I have excluded have no data, ie. gaps/breaks in the lines. This looks a bit stupid.

0 Karma

cvajs
Contributor

ok, misread the question, but the again, not really sure what the question is. timechart will chart the data from the search and if a day has no data then that day avg will be zero. i believe the timechart will have a timeline of whatever your search was, so if you say only sat and sun over last 3 weeks then timechart will show 3 weeks with only data on sat and sun, etc.

0 Karma

sowings
Splunk Employee
Splunk Employee

Would a logarithmic scale make sense, so that the spikes are less pronounced?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...