在 Splunk 中,我想以每周累积的方式显示数据,但下面的查询是从“周四到周四”而不是“周一到周日”计算数据。
请帮忙。
index=c sourcetype=c | timechart count(eval(State = "Closed" OR State= "Resolved")) as "Closed", count(eval(State = "Assigned" OR State= "Open")) as "Still Open", count(eval(State = "Pending")) as "Pending" span=1w | streamstats sum(*) as *
您可以使用 relative_time() 函数和时间修饰符“w”或“w0”(星期日)、“w1”(星期一)到“w6”,将 _time 显式“分箱”到一周中的任何特定日期开始的几周(周六)。
index=c sourcetype=c
| eval _time =relative_time(_time,"@w1")
| timechart count(eval(State = "Closed" OR State= "Resolved")) as "Closed", count(eval(State = "Assigned" OR State= "Open")) as "Still Open", count(eval(State = "Pending")) as "Pending" span=1w
| streamstats sum(*) as *