Splunk Search

How do I get Timechart to start on a specific day of the week

mumblingsages
Path Finder

I have a collection of log data in an index and for the purposes of this discussion _time has the value I want. When I do:

index="my_index" | timechart count span=7d

The resultant visualization always seems to start on a Thursday. I would like it to start on a Sunday. Is there a way to do this?

Tags (1)
0 Karma
1 Solution

sbbadri
Motivator

try this ,

index="my_index" | eval Day1ofWeek = strftime(relative_time(_time,"@w0"),"%m/%d") | chart count by Day1ofWeek

View solution in original post

0 Karma

sbbadri
Motivator

try this ,

index="my_index" | eval Day1ofWeek = strftime(relative_time(_time,"@w0"),"%m/%d") | chart count by Day1ofWeek

0 Karma

mumblingsages
Path Finder

Sabbadri,
This definitely appears to work, but can you help understand why? More specifically where did you find the definition of @w0 in the relative_time function?

0 Karma

mumblingsages
Path Finder

Secondary question...

Is there anyway to force this value back into _time so one can use single value visualizations?

EDIT:
Nevermind.... I figured this part out!

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Do like this

index="my_index" | eval _time=relative_time(_time,"@w0") | chart count by _time
0 Karma

sbbadri
Motivator

please check below link,

http://docs.splunk.com/Documentation/Splunk/6.6.2/Search/Specifytimemodifiersinyoursearch

Topic: Examples of relative time modifiers

0 Karma

mumblingsages
Path Finder

Thanks much!!!

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try | timechart span=1w count

0 Karma

mumblingsages
Path Finder

Somesoni2,
This yields the same result, unfortunately.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...