In Splunk, I want to display data in cumulative way on weekly basis but below query is counting data from "Thursday to Thursday" instead "Monday to Sunday".
Please Help.
index=c sourcetype=c | timechart count(eval(State = "Closed" OR State= "Resolved")) as "Closed", count(eval(State = "Assigned" OR State= "Open")) as "Still Open", count(eval(State = "Pending")) as "Pending" span=1w | streamstats sum(*) as *
You can explicitly "bin" the _time into weeks starting any particular day of the week by using the relative_time() function and time modifiers "w" or "w0" (for Sunday), "w1" (for Monday) through "w6" (for Saturday).
index=c sourcetype=c
| eval _time =relative_time(_time,"@w1")
| timechart count(eval(State = "Closed" OR State= "Resolved")) as "Closed", count(eval(State = "Assigned" OR State= "Open")) as "Still Open", count(eval(State = "Pending")) as "Pending" span=1w
| streamstats sum(*) as *