A: This is not an error. Timewap relies on the timeframe of the search. You are searching for a 7 day window FROM sunday. That's mon,tues,wed,thurs,fri,sat,sun. If you want to start on Sunday, end your search on Saturday @w-1.
A: If you are searching last seven 24 hour periods, which will occur on 8 days, unless you start at midnight. If snap to the start of a day, this will go away.
A: Do your search as usual, and filter at the end (filtering up-front will confuse timechart):
.... | timechart count span=1h | timewrap w | where strftime(_time, "%A") == "Wednesday"
A: There is now a new "series" option to determines the naming convention of the series names:
"relative" is the default "series" value.
Q: How can I compare today to yesterday to the avg for the week?
Glad you asked. Search for the last 7 days and run this:
*
| timechart count span=1h
| timewrap d series=short
| addtotals s*
| eval 7dayavg=Total/7.0
| table _time, _span, s0, s1, 7dayavg
| rename s0 as now, s1 as yesterday
Basically, we're using timewrap over the last 7 days, and then using addtotals and eval to calculate the average over those 7 days. We then rename fields and cut out days 3-7, because we only wanted today, yesterday, and the weekly average.
Currently in Splunk you cannot drilldown into "other" values from a "top" command. For example, if you searched for "* | top 10 host useother=t", clicking on the "other" value will try to search for "host=other"(!), which is wrong.
I added a little search command that adds a _drilldown field that does the right thing -- it will search for "host=* NOT host=VAL1 NOT host=VAL2 ... NOT host=VAL3". It works with 'top' output.
In your simplexml, you'd then say drilldown on
$row._drilldown$
This will drilldown on the _drilldown field value.
added support for year, fixing bug.
Added support for "y" year. Assumes 365 days, ignoring leap days.
Added support for s (seconds). For example, an argument of "600s" will timewrap on 10minutes.
Added support for multidigit timespans (e.g. 19h).
Added 'drilldown' command (freebie!), that makes drilldown on 'other' values work.
Added series option to determines the naming convention of the series names: "relative" gives values like "latest_week", "1week_ago", "2weeks_ago", etc.; "short" gives short span names like "s0", "s1", "s2", etc., which are useful if you need to modify the values with further search commands; and "exact" gives convenient values like "week_of_dec01", "week_of_nov24", etc. "relative" is the default SERIES value.
Fixed bug where latesttime was being included, when it should have been excluded.
Improved the name of the series to be more correct and clear, and convenient (no whitespace).
now supports _span field for better time labeling
updated support for improved column ordering and not retaining events
made app invisible because it's just an add-on
updated support for multiple series
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.