Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to group daily results by week more close together?

KalebeRS
Explorer
‎07-18-2023 06:59 AM

Hello,

I have this search for a chart that counts values weekly and divides then by day of the week.

Is there any option that I can do to show this graph a little more compact grouping the results daily in showing just the week like the screenshots examples?

 

KalebeRS_0-1689688738990.png

 

 

 

 

 

 

 

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-18-2023 07:08 AM

Hi @KalebeRS ,

let me understand: you have a chart with data divided by week/day and you want to aggregate data by week, is it correct?

if this is your requirement, you can extract the week number and use it for charting:

index="" host= sourcetype=csv [search index="" host= sourcetype=csv source=C:\\CW28_2.csv | dedup source | table source | sort - source | head 1 ] 
| where iswSD >= strftime(relative_time(now(), "-3w@w"),"%Y-%m-%d")
| eval Week_Number=strftime(strptime(iswSD,"%Y-%m-%d"),"%V")
| eval ISWGT=if(iswSD>pverSF, 1,0)
| eval ISWLE=if(iswSD<=pverSF, 1,0)
| eval non_mapped=case(match(pverID, ""), "match")
| chart sum(ISWGT), sum(ISWLE), count(non_mapped) as "Non Mapped" by Week_Number

Ciao.

Giuseppe

0 Karma
Reply

KalebeRS
Explorer
‎07-18-2023 07:23 AM

Not exactly, I just need to rearenge the values by week day into smaller groups, like in the screenshot. Still showing the values by week dividing by day, but in a compact form.

KalebeRS_0-1689690185875.png

 

 

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-18-2023 07:28 AM

Hi @KalebeRS,

it's possible if you have only one valye in the chart command,

otherwise, it runs, but it isn't so readable.

please try this:

index="" host= sourcetype=csv [search index="" host= sourcetype=csv source=C:\\CW28_2.csv | dedup source | table source | sort - source | head 1 ] 
| table iswID, iswTitle, iswSD, pverID, pverSF
| where iswSD >= strftime(relative_time(now(), "-3w@w"),"%Y-%m-%d")
| eval Week_Number=strftime(strptime(iswSD,"%Y-%m-%d"),"%V")
| eval Week_Number_Day=strftime(strptime(iswSD,"%Y-%m-%d"),"%V %A")
| eval ISWGT=if(iswSD>pverSF, 1,0)
| eval ISWLE=if(iswSD<=pverSF, 1,0)
| eval non_mapped=case(match(pverID, ""), "match")
| chart sum(ISWGT), sum(ISWLE), count(non_mapped) as "Non Mapped" OVER  Week_Number_Day BY Week_Number

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...