Solved: Re: How do I get Timechart to start on a specific ...

mumblingsages · ‎07-31-2017

I have a collection of log data in an index and for the purposes of this discussion _time has the value I want. When I do:

index="my_index" | timechart count span=7d

The resultant visualization always seems to start on a Thursday. I would like it to start on a Sunday. Is there a way to do this?

sbbadri · ‎07-31-2017

try this ,

index="my_index" | eval Day1ofWeek = strftime(relative_time(_time,"@w0"),"%m/%d") | chart count by Day1ofWeek

View solution in original post

sbbadri · ‎07-31-2017

try this ,

index="my_index" | eval Day1ofWeek = strftime(relative_time(_time,"@w0"),"%m/%d") | chart count by Day1ofWeek

mumblingsages · ‎08-01-2017

Sabbadri,
This definitely appears to work, but can you help understand why? More specifically where did you find the definition of @w0 in the relative_time function?

mumblingsages · ‎08-01-2017

Secondary question...

Is there anyway to force this value back into _time so one can use single value visualizations?

EDIT:
Nevermind.... I figured this part out!

somesoni2 · ‎08-01-2017

Do like this

index="my_index" | eval _time=relative_time(_time,"@w0") | chart count by _time

sbbadri · ‎08-01-2017

please check below link,

http://docs.splunk.com/Documentation/Splunk/6.6.2/Search/Specifytimemodifiersinyoursearch

Topic: Examples of relative time modifiers

mumblingsages · ‎08-01-2017

Thanks much!!!

somesoni2 · ‎07-31-2017

Try | timechart span=1w count

mumblingsages · ‎08-01-2017

Somesoni2,
This yields the same result, unfortunately.

How do I get Timechart to start on a specific day of the week

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk