Splunk Search

How to specify earliest and latest time modifiers to display week over week comparison in a month, snapping to the beginning and end of the week?

naty
Path Finder

Hi,

my managers posted a request for data.
they want to see weekly comparison over the course of a month.
the catch is that if the 1st of a month starts on a Tuesday, they want to see the data from Sunday, which is the last 2 days of the previous month.
again, if the 1st starts at Thursday, they want to see data from Sunday etc etc.

i wanted to know if there is a way to specify an earliest & latest values dynamically by weeks.
e.g - earliest=-1month@month and snap to Sunday, latest=-1month@month and snap to Saturday, and to change those values for each week

i know that there's an app for that called Timewrap, but installing it is complicated so i'm trying to get a workaround using the search.

Thank you!

1 Solution

cmerriman
Super Champion

to snap the earliest to the first day of the week of the previous month (even if it falls in another month) use earliest=-1mon@mon@w
or earliest=@mon@wif you just are looking at current month.

from there to get week over week, you can use |bucket _time span=7d

View solution in original post

aaraneta_splunk
Splunk Employee
Splunk Employee

Hi @naty - What version of Splunk are you using? Because as of 6.5.0, Splunk added the timewrap command so you wouldn't have to install the Timewrap add-on.

naty
Path Finder

Hi @aaraneta - about the Timewrap, i saw that it shows a weekly basis based on 7 days.
for example, for November i will see a line representing the 24th-30th, another for 17th-23rd and so on until the start of the month.
that is because November ended on Thursday, so it takes a week as Thursday till Thursday.

but i have a question about it since it's not very well documented - the Timewrap will show a weekly basis, but according to my example above for November, the last week i will see is 3rd-9th of November, i still wish to see the 1st & 2nd.

is it showing that to me?
if not, how can i see them on the weekly basis graph?
is there a way to do the timewrap without manipulating the _time so i could see the times for every week?

aaraneta_splunk
Splunk Employee
Splunk Employee

Hi @naty - I'm sorry, I'm not an expert on timewrap so unfortunately I wouldn't be able to help you much. But you may have some luck by joining our public Slack chat!

There are 1300+ Splunk users in our public Slack chat. People ask each other for immediate help on there daily. You can share this follow-up question/link to your post there to see if anyone can take a stab at it.

You first have to request access through www.splunk402.com/chat. Fill out the form, and once you receive the approval email, you can access Slack.com and ask for help in the #general channel.

naty
Path Finder

Hi,
You saved me!!
we actually just upgraded to 6.5.1 last week 😄
i tried the timewrap now and it workd perfectly!!!

cmerriman
Super Champion

to snap the earliest to the first day of the week of the previous month (even if it falls in another month) use earliest=-1mon@mon@w
or earliest=@mon@wif you just are looking at current month.

from there to get week over week, you can use |bucket _time span=7d

naty
Path Finder

Thank you!
i understood that i can use the Timewrap app using 6.5.
luckily for me, we just upgraded to 6.5.1 last week 😄
but this should work too, thank you!!! (didn't know you could do -1mon@mon@w, thought you could only do 1-mon@mon and that's it 🙂 )

0 Karma

naty
Path Finder

Hi @cmerriman,

i have tested your answer.
the span=7d is not good since i want to see span=1h and compare an hourly span of every week of the month.
let's say that for November, i would like to do a search to get an hourly span from: October 30th - November 5th, November 6th - November 12th, November 13th - November 19th, November 20th - November 26th, November 27th - December 3rd.

notice that i took the previous month, but i need the start of the month and then snap to the start of the week.

you gave me an answer for that with earliest=-1mon@mon@w which was excellent, but how do do the latest to snap to the end of that week?
also, do you know how to specify the earliest & latest for each week?

Thank you!

0 Karma

cmerriman
Super Champion

maybe try something like

...|eval weekBegin=strftime(relative_time(_time,"@w"),"%D")|eval weekEnd=strftime(relative_time(_time,"@w6"),"%D")|eval week=weekBegin+" - "+weekEnd|timechart span=1h count by week

or whatever stats command you needed

0 Karma

jeffland
SplunkTrust
SplunkTrust

Doesn't -1mon@w do exactly what you want? Go back one month, then to the start of that week.

0 Karma

naty
Path Finder

Hi, thank you for the reply!
correct me if i'm wrong, but i think it will do something else.
for example - if i'm on the 25th of June and i go -1mon@w, then i'll go to the 25th of May and the start of that week..

0 Karma

jeffland
SplunkTrust
SplunkTrust

Right, sorry - @mon@w does it, I was going back one month further than needed.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...