Hi All,
For a trend chart, I have data for the following dates
2016-10-29 - saturday
2016-11-05 - saturday
2016-11-12 - saturday
2016-11-15 - Tuesday
2016-11-26 - saturday
i want a weekly chart which shows saturday's date ( last day of every week) on the axis
here 15 Nov's data also should be shown as 2016-11-19 (saturday's date). How can I do it?
Currently I am using this search
index ="64581-np" earliest=-24w@w6 latest=now sourcetype = "fn_details" matchConfidence!="Not Vulnerable"
[
| tstats max(_time) as maxTime WHERE index ="64581-np" earliest=-24w@w7 sourcetype="fn_details" by source _time span=1w
| sort -maxTime
| stats first(source) as source by _time
| fields source]
| fields fieldNoticeId,matchConfidence,source
| eval _time = _time + (86400*7)
| eval _time=if(_time>now(),relative_time(now(),"@d"),_time)
| eval dayWeek =strftime(_time,"%Y-%m-%d")
| eval workField = fieldNoticeId.":".dayWeek
| dedup workField,matchConfidence
| replace "Potentially Vulnerable" with "Potentially" in matchConfidence
| stats list(matchConfidence) as matchConfidence by workField
| eval statusOuput=if(matchConfidence LIKE "Potentially" AND !(matchConfidence LIKE "Vulnerable"),"Potentially Vulnerable","Vulnerable")
| eval id=mvindex(split(workField,":"),0)
| eval dayWeek=mvindex(split(workField,":"),1)
| chart dc(id) over dayWeek by statusOuput
which is giving me below result (dates):
2016-09-10
2016-09-17
2016-09-24
2016-10-01
2016-10-08
2016-10-22
2016-10-29
2016-11-05
2016-11-12
2016-11-15
2016-11-26
Help much appreciated!
add this to your search
| eval _time=strftime(relative_time(_time,"@w+6d"),"%D")
that should push all _time to the following Saturday.
add this to your search
| eval _time=strftime(relative_time(_time,"@w+6d"),"%D")
that should push all _time to the following Saturday.
it seems to be working..can you please explain why @w+6d ? Also if the last data uploaded data is middle of the week or today's date ... it shouldnt push to future saturday.
so, @w+6d
snaps _time to the beginning of the week on Sunday and then adds 6 days to it, making _time the end of the week on Saturday.
so if it's the current week, you don't want the data? or you want it to display current date?
| eval _time=if(strftime(relative_time(now(),"@w"),"%D")== strftime(relative_time(_time,"@w"),"%D"),strftime(_time,"%D"), strftime(relative_time(_time,"@w+6d"),"%D"))
something like this might work for you. the first string case says if the current time snapped to Sunday equals the event timestamp snapped to Sunday, then just use that timestamp, otherwise use the following Saturday.
if is it for past three weeks data.... if the data is available on saturday, then i need saturday.
if it is middle of the week day , then it has to be moved to saturday.
if it is data is pushed today (current day) and it is not saturday , then we have to show the same (current date).
I hope all these conditions are taken care in the above? Please let me know
I will test with different data available....thanks for your input