Change the day from where the week starts in bucke...

tikoonikhil · ‎10-13-2016

I am running this query in splunk which aggregates and bucketizes the data on a weekly basis , based on the field "impact_start" and gives me the output. But the problem is that the start of the week in the output is Thursday rather than Monday.
Is there any way i can change the start of the week to Monday instead of Thursday?

search index=* impact=1 OR impact=2 product_line=* | eval time = round( strptime(impact_start,"%Y-%m-%d %H:%M:%S"), 0 )| where time >= 1473328728 AND time<=1476352728| bucket time span=7d | stats values(number) as incident_name by time

sundareshr · ‎10-13-2016

See if this works

search index=* impact=1 OR impact=2 product_line=* 
| eval time = round( strptime(impact_start,"%Y-%m-%d %H:%M:%S"), 0 ) 
| where time >= 1473328728 AND time<=1476352728 
| evenstats earliest(_time) as e
| eval time=if(e=_time AND _time>relative_time(_time, "-@w1"), mvrange(relative_time(_time, "-@w1"), _time), _time)
| mvexpand time
| fillnull number
| bucket time span=7d 
| stats values(number) as incident_name by time

davebrooking · ‎10-13-2016

I think this answer may point you in the right direction

Dave

Change the day from where the week starts in bucket.

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?

A Guide To Cloud Migration Success