在 Splunk 中,streamstats 函数每周提供累积数据,但显示数据 "Thursday to Thursday" 而不是 "Monday to Sunday"
In Splunk, streamstats function give cumulative data on weekly basis but displaying data "Thursday to Thursday" instead "Monday to Sunday"
在 Splunk 中,我想每周以累积方式显示数据,但下面的查询是计算来自 "Thursday to Thursday" 的数据,而不是 "Monday to Sunday"。
请帮忙。
index=c sourcetype=c | timechart count(eval(State = "Closed" OR State= "Resolved")) as "Closed", count(eval(State = "Assigned" OR State= "Open")) as "Still Open", count(eval(State = "Pending")) as "Pending" span=1w | streamstats sum(*) as *
您可以使用 relative_time() 函数和时间修饰符 "w" 或 "w0" (周日),"w1"(周一)到 "w6"(周六)。
index=c sourcetype=c
| eval _time =relative_time(_time,"@w1")
| timechart count(eval(State = "Closed" OR State= "Resolved")) as "Closed", count(eval(State = "Assigned" OR State= "Open")) as "Still Open", count(eval(State = "Pending")) as "Pending" span=1w
| streamstats sum(*) as *
在 Splunk 中,我想每周以累积方式显示数据,但下面的查询是计算来自 "Thursday to Thursday" 的数据,而不是 "Monday to Sunday"。
请帮忙。
index=c sourcetype=c | timechart count(eval(State = "Closed" OR State= "Resolved")) as "Closed", count(eval(State = "Assigned" OR State= "Open")) as "Still Open", count(eval(State = "Pending")) as "Pending" span=1w | streamstats sum(*) as *
您可以使用 relative_time() 函数和时间修饰符 "w" 或 "w0" (周日),"w1"(周一)到 "w6"(周六)。
index=c sourcetype=c
| eval _time =relative_time(_time,"@w1")
| timechart count(eval(State = "Closed" OR State= "Resolved")) as "Closed", count(eval(State = "Assigned" OR State= "Open")) as "Still Open", count(eval(State = "Pending")) as "Pending" span=1w
| streamstats sum(*) as *