Solved: Re: Change x axis _time display to weekly instead ...

link22 · ‎06-13-2018

So I'm aiming for a month's worth of data to be displayed as "Week 1, Week 2, Week 3, Week 4" instead of by "Apr 13, Apr 30, etc."

I've been formatting both my XML and search string but to no avail. Any suggestions?

renjith_nair · ‎06-13-2018

You could either use the calendar week %V

your search | eval week=strftime(_time,"%V") |stats count by week

Or

your search|eval week=strftime(relative_time(_time,"@w1"),"%Y-%m-%d")|stats count by week

or if you want to specifically display week number then,

your search|eval week=strftime(relative_time(_time,"@w1"),"%Y-%m-%d")|stats count by week|streamstats count as weeknum|eval week="Week".weeknum|fields - weeknum

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

renjith_nair · ‎06-13-2018

You could either use the calendar week %V

your search | eval week=strftime(_time,"%V") |stats count by week

Or

your search|eval week=strftime(relative_time(_time,"@w1"),"%Y-%m-%d")|stats count by week

or if you want to specifically display week number then,

your search|eval week=strftime(relative_time(_time,"@w1"),"%Y-%m-%d")|stats count by week|streamstats count as weeknum|eval week="Week".weeknum|fields - weeknum

---
What goes around comes around. If it helps, hit it with Karma 🙂

renjith_nair · ‎06-14-2018

@link22, does it work for you?

---
What goes around comes around. If it helps, hit it with Karma 🙂

link22 · ‎06-19-2018

It did! Thank you so much, you really helped me a lot!

Change x axis _time display to weekly instead of daily

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases