In order to remove weekend days completly from my timechart, I created a request :
My Base Search
| eval date_wday=lower(strftime(_time,"%A"))
| eval date_w=strftime(_time,"%d/%m")
| where NOT (date_wday = "sunday" OR date_wday = "saturday")
| chart count(foo) as "foo", count(bar) as "bar" by date_w
| rename date_w as "Working Days"
And I get this result, with the problem that days are not in the right order :
Even if I add "| sort date_w " in my search, it won't display properly.
Is there a way to correct this ?
@Zakary_n, change | eval date_w=strftime(_time,"%d/%m")
to | eval date_w=strftime(_time,"%m/%d")
,
Also check if default extracted field date_wday
already exists with your data then you will not need | eval date_wday=lower(strftime(_time,"%A"))
and you can move NOT (date_wday = "sunday" OR date_wday = "saturday")
to base search as (date_wday!= "sunday" OR date_wday!="saturday")
.
Try the following search:
My Base Search (date_wday!="sunday" OR date_wday!="saturday")
| eval date_w=strftime(_time,"%Y/%m/%d")
| chart count(foo) as "foo", count(bar) as "bar" by date_w
| rename date_w as "Working Days"
@Zakary_n, change | eval date_w=strftime(_time,"%d/%m")
to | eval date_w=strftime(_time,"%m/%d")
,
Also check if default extracted field date_wday
already exists with your data then you will not need | eval date_wday=lower(strftime(_time,"%A"))
and you can move NOT (date_wday = "sunday" OR date_wday = "saturday")
to base search as (date_wday!= "sunday" OR date_wday!="saturday")
.
Try the following search:
My Base Search (date_wday!="sunday" OR date_wday!="saturday")
| eval date_w=strftime(_time,"%Y/%m/%d")
| chart count(foo) as "foo", count(bar) as "bar" by date_w
| rename date_w as "Working Days"
@niketnilay yup I did that. It's a fine workaround I guess, thank you.
Now if they ask me at my work to change the format of the date I'll legit cry lol.
Thanks again
@Zakary_n there may be some nasty workaround possible in case that is absolutely required. Until then happy path is to use YYYY/mm/dd
for string time sorting. 🙂
I have converted my comment to answer. Please accept to mark this as answered!
Hello,
Your problem here is using chart
that will sort your data alphabetically.
Try like that :
My Base Search
| eval date_wday=lower(strftime(_time,"%A"))
| eval date_w=strftime(_time,"%d/%m")
| where NOT (date_wday = "sunday" OR date_wday = "saturday")
| timechart span=1d count(foo) as "foo", count(bar) as "bar"
That should work for you, let me know 🙂
Hey KailA, thank you for your response!
Unfortunatly, with timechart it's impossible to cut weekend days out from my display.
See this question I asked earlier about this :
And if you add | where foo != 0 AND bar != 0
at the end ?
I might need to do it this way in the near future actually, depending on what they tell me to do at work.
Thank you for your help @KailA !