timewrap command overview
timewrap command displays, or wraps, the output of the
timechart command so that every period of time is a different series.
timewrap command to compare data over specific time period, such as day-over-day or month-over-month. You can also use the
timewrap command to compare multiple time periods, such as a two week period over another two week period. See timewrap command syntax details.
The required syntax is in bold.
- [align=now | end]
How the timewrap command works
timewrap command is used with the
timechart command, let's start with that.
The following search counts the number of earthquakes in Alaska where the magnitude is greater than or equal to 5.3. The results are organized in spans of 1 day.
|search source=all_month.csv place=*alaska* mag>=5.3 | timechart count() span=1d
The results look something like this:
|08 Sep 2021||1|
|09 Sep 2021||1|
|10 Sep 2021||1|
|11 Sep 2021||0|
|12 Sep 2021||0|
|13 Sep 2021||0|
|14 Sep 2021||1|
|15 Sep 2021||0|
|16 Sep 2021||0|
|The results continue through 2021-09-23 but are truncated in this example.|
Combining the timewrap and timechart commands
Now let's add the
timewrap command to the search and specify a <timewrap-span> of
|search source=all_month.csv place=*alaska* mag>=5.3 | timechart count() span=1d | timewrap 1week
The results are organized based on the day you run the search, which in this example 02 Oct 2021. Going back in 1 week increments to the week that the data starts (08 Sep 2021), the results look something like this:
|26 Sep 2021||0||0|
|27 Sep 2021||0||0|
|28 Sep 2021||1||0|
|29 Sep 2021||1||0||0|
|30 Sep 2021||1||0||1|
|01 Oct 2021||1||0|
|02 Oct 2021||0||0|
Using the <timewrap-span> argument
The <timewrap-span> you specify controls how many rows are returned in the results and the ranges for the counts displayed in the columns. The <timewrap-span> specified is
1week so there are 7 rows in the output. Counting back from 02 Oct 2021, there are 3 weeks between 02 Oct 2021 and 08 Sep 2021, which is why the column headings refer to 3 weeks, 2 weeks, and 1 week before.
The first date in the output is 26 Sep 2021. Counting back 3 weeks is 05 Sep 2021. There are no events for that date, which is why the output contains no value in the column
3weeks_before for 26 Sep 2021.
Look at the date 29 Sep 2021. Counting back 3 weeks is 08 Sep 2021. There is 1 earthquake for that date, as shown in the results for the first search.
This pattern continues for the rest of the results.
- Related information
- timechart command overview
timechart command examples
timewrap command syntax details
This documentation applies to the following versions of Splunk® Cloud Services: current
Feedback submitted, thanks!