Skip to content

Instantly share code, notes, and snippets.

@acharlieh
Last active August 29, 2015 14:06
Show Gist options
  • Save acharlieh/777d6767378e82427d00 to your computer and use it in GitHub Desktop.
Save acharlieh/777d6767378e82427d00 to your computer and use it in GitHub Desktop.
Playing with Splunk DOW
| noop | stats count | fields 
| eval num=mvrange(0,40,1) | mvexpand num 
| eval _time=relative_time(now(),"-".num."d@d")
| eval day=strftime(_time,"%A - %F") 
| timechart span=w count,list(day)

Have your search time range be at least: earliest=-40d@d latest=now otherwise you confuse the embedded bucket command by presenting data that's not in the time range.

Play with changing the anchor on earliest to @w0,@w1,...,@w5,@w6 and check out the results.

Update: A method that does not involve manipulating earliest, change _time, then use chart instead of timechart:

| noop | stats count | fields
| eval num=mvrange(0,40,1) | mvexpand num 
| eval _time=relative_time(now(),"-".num."d@d")
| eval day=strftime(_time,"%A - %F")
| eval _time=relative_time(_time,"@w6")
| chart count,list(day) by _time
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment