Hi,
We have the following requirement for a weekly trend chart for the data that we get on daily basis (mostly).
1) We need to show end of the weekly period date for labels (Week range is from Sunday to Saturday). That is , we need to have Saturday's date on the label for each historical point
But if today we are on Wednesday, then for the current week, we show Wednesday data as well as Wednesday's date on the label.
2) We need to use the latest data for that week. I have a solution for this using tstats as in the example search below.
To elaborate with an example, consider we receive data on daily basis for the last 3 weeks till today (July 😎 .
Following will be the labels on the chart (ignore the format of date): 18th June, 25th of June, 2nd of July and 8th of July. 8th July is considered since it is the latest in this week.
3) Data to be considered for the 18th June label will be the latest data received between 12th June to 18th June and so on for other dates.
I tried using the following search, but it does not give expected results:
index ="xyz" earliest=-3w@w6 latest=now sourcetype = cache-v2 [| tstats max(_time) as maxTime WHERE index=xyz source="*xyz_details*" by source _time span=1w | sort -maxTime | stats first(source) as source by _time | fields source] | eval Time=_time | timechart span=1w dc(psirtColdId) by matchConfidence | eval Time=strftime(_time,"%Y:%m:%d") | table Time,"Potentially Vulnerable",Vulnerable
Please let me know how this can be achieved.
Thanks,
-Amol
... View more