I know how to exclude certain days from your search results: http://splunk-base.splunk.com/answers/1367/how-do-you-exclude-certain-days-from-a-time-range
But if you then pipe these results through timechart, the time line covers all days, and you just have gaps where the weekdays fall.
We have this requirement as we need to report on daily averages over time, but the values on weekends are skewed as the number of samples drops significantly. It appears that there are spikes in the data which misleads the user.
example (mon-fri)
index=cisco_esa (date_wday=monday OR date_wday=tuesday OR date_wday=wednesday OR date_wday=thursday OR date_wday=friday)
index=cisco_esa (date_wday!=saturday AND date_wday!=sunday)
example (sat and sun only)
index=cisco_esa (date_wday!=monday AND date_wday!=tuesday AND date_wday!=wednesday AND date_wday!=thursday AND date_wday!=friday)
index=cisco_esa (date_wday=saturday OR date_wday=sunday)
then pipe as needed.
see http://docs.splunk.com/Documentation/Splunk/4.3.1/User/UseDefaultAndInternalFields
then create separate charts (views) for only the timeframes that contain the successive days this way the chart(s) wont have breaks, etc. i dunno if you can tell stats timechart or chart to skip time.
Hi, thanks for your attempt. But unfortunately (at least when I view it in the report builder) timechart does not behave as you believe in 4.3.1 - it draws a chart containing the entire time span, and the weekend days which I have excluded have no data, ie. gaps/breaks in the lines. This looks a bit stupid.
ok, misread the question, but the again, not really sure what the question is. timechart will chart the data from the search and if a day has no data then that day avg will be zero. i believe the timechart will have a timeline of whatever your search was, so if you say only sat and sun over last 3 weeks then timechart will show 3 weeks with only data on sat and sun, etc.
Would a logarithmic scale make sense, so that the spikes are less pronounced?