Solved: Change x axis _time display to weekly instead of d...

link22 · ‎06-13-2018

So I'm aiming for a month's worth of data to be displayed as "Week 1, Week 2, Week 3, Week 4" instead of by "Apr 13, Apr 30, etc."

I've been formatting both my XML and search string but to no avail. Any suggestions?

renjith_nair · ‎06-13-2018

You could either use the calendar week %V

your search | eval week=strftime(_time,"%V") |stats count by week

Or

your search|eval week=strftime(relative_time(_time,"@w1"),"%Y-%m-%d")|stats count by week

or if you want to specifically display week number then,

your search|eval week=strftime(relative_time(_time,"@w1"),"%Y-%m-%d")|stats count by week|streamstats count as weeknum|eval week="Week".weeknum|fields - weeknum

Happy Splunking!

View solution in original post

renjith_nair · ‎06-13-2018

You could either use the calendar week %V

your search | eval week=strftime(_time,"%V") |stats count by week

Or

your search|eval week=strftime(relative_time(_time,"@w1"),"%Y-%m-%d")|stats count by week

or if you want to specifically display week number then,

your search|eval week=strftime(relative_time(_time,"@w1"),"%Y-%m-%d")|stats count by week|streamstats count as weeknum|eval week="Week".weeknum|fields - weeknum

Happy Splunking!

renjith_nair · ‎06-14-2018

@link22, does it work for you?

Happy Splunking!

link22 · ‎06-19-2018

It did! Thank you so much, you really helped me a lot!

Change x axis _time display to weekly instead of daily

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability