So I want use bucket to group my data by weeks that start on Mondays if I change my query to use earliest=-1w@w1 latest=@w1
Then bucket span=week
does the right thing. But I'm going to be running a daily (or hourly) summary index, that I want to bucket by weeks including the current week in progress.
Index:
sourcetype="source" | bucket _time span=day | stats count by severity, customer, _time
Search that works for daily counts
search severity > 9 customer="name" | eval Day=strftime(_time, "%Y-%m-%d")| eval n="count" | xyseries Day, n, count
I need a search that works for weekly counts snapped to mondays.
How does this work for you?
search severity > 9 customer="name" |
eval Week=relative_time(_time, "@w1") |
eval n="count" |
xyseries Week, n, count
How does this work for you?
search severity > 9 customer="name" |
eval Week=relative_time(_time, "@w1") |
eval n="count" |
xyseries Week, n, count
search severity > 9 customer="name" |
eval Week=relative_time(_time, "@w1") |
stats count by severity customer Week |
eval n="count" |
xyseries Week, n, count
though I am unclear on why you want count by severity and customer as well as by week...
Actually need to run through stats again to sum(count) by Week
relative_time() - Works perfect! Thanks.