Splunk Search

How to snap span with bucket

aarcro
Explorer

So I want use bucket to group my data by weeks that start on Mondays if I change my query to use earliest=-1w@w1 latest=@w1 Then bucket span=week does the right thing. But I'm going to be running a daily (or hourly) summary index, that I want to bucket by weeks including the current week in progress.

Index:

sourcetype="source" | bucket _time span=day | stats count by severity, customer, _time

Search that works for daily counts

search severity > 9 customer="name" | eval Day=strftime(_time, "%Y-%m-%d")|  eval n="count" | xyseries Day, n, count

I need a search that works for weekly counts snapped to mondays.

Tags (3)
0 Karma
1 Solution

lguinn2
Legend

How does this work for you?

search severity > 9 customer="name" | 
eval Week=relative_time(_time, "@w1") |  
eval n="count" | 
xyseries Week, n, count

View solution in original post

lguinn2
Legend

How does this work for you?

search severity > 9 customer="name" | 
eval Week=relative_time(_time, "@w1") |  
eval n="count" | 
xyseries Week, n, count

lguinn2
Legend

search severity > 9 customer="name" |
eval Week=relative_time(_time, "@w1") |

stats count by severity customer Week |
eval n="count" |
xyseries Week, n, count

though I am unclear on why you want count by severity and customer as well as by week...

0 Karma

aarcro
Explorer

Actually need to run through stats again to sum(count) by Week

0 Karma

aarcro
Explorer

relative_time() - Works perfect! Thanks.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...