timewrap command overview
The SPL2 timewrap command displays, or wraps, the output of the timechart command so that every period of time is a different series.
Use the timewrap command to compare data over specific time period, such as day-over-day or month-over-month. You can also use the timewrap command to compare multiple time periods, such as a two week period over another two week period. See timewrap command syntax details.
Syntax
The required syntax is in bold.
- timewrap
- <timewrap-span>
- [align=now | end]
How the SPL2 timewrap command works
Because the SPL2 timewrap command is used with the timechart command, let's start with that.
The following search counts the number of earthquakes in Alaska where the magnitude is greater than or equal to 5.3. The results are organized in spans of 1 day.
|search source=all_month.csv place=*alaska* mag>=5.3 | timechart count() span=1d
The results look something like this:
| _time | count |
|---|---|
| 08 Sep 2021 | 1 |
| 09 Sep 2021 | 1 |
| 10 Sep 2021 | 1 |
| 11 Sep 2021 | 0 |
| 12 Sep 2021 | 0 |
| 13 Sep 2021 | 0 |
| 14 Sep 2021 | 1 |
| 15 Sep 2021 | 0 |
| 16 Sep 2021 | 0 |
| The results continue through 2021-09-23 but are truncated in this example. |
Combining the timewrap and timechart commands
Now let's add the timewrap command to the search and specify a <timewrap-span> of 1week.
|search source=all_month.csv place=*alaska* mag>=5.3 | timechart count() span=1d | timewrap 1week
The results are organized based on the day you run the search, which in this example 02 Oct 2021. Going back in 1 week increments to the week that the data starts (08 Sep 2021), the results look something like this:
| _time | 3weeks_before | 2weeks_before | 1week_before |
|---|---|---|---|
| 26 Sep 2021 | 0 | 0 | |
| 27 Sep 2021 | 0 | 0 | |
| 28 Sep 2021 | 1 | 0 | |
| 29 Sep 2021 | 1 | 0 | 0 |
| 30 Sep 2021 | 1 | 0 | 1 |
| 01 Oct 2021 | 1 | 0 | |
| 02 Oct 2021 | 0 | 0 |
Using the <timewrap-span> argument
The <timewrap-span> you specify controls how many rows are returned in the results and the ranges for the counts displayed in the columns. The <timewrap-span> specified is 1week so there are 7 rows in the output. Counting back from 02 Oct 2021, there are 3 weeks between 02 Oct 2021 and 08 Sep 2021, which is why the column headings refer to 3 weeks, 2 weeks, and 1 week before.
The first date in the output is 26 Sep 2021. Counting back 3 weeks is 05 Sep 2021. There are no events for that date, which is why the output contains no value in the column 3weeks_before for 26 Sep 2021.
Look at the date 29 Sep 2021. Counting back 3 weeks is 08 Sep 2021. There is 1 earthquake for that date, as shown in the results for the first search.
This pattern continues for the rest of the results.
See also
- Related information
- timechart command overview
| timechart command examples | timewrap command syntax details |
This documentation applies to the following versions of Splunk® Cloud Services: current
Download manual
Feedback submitted, thanks!