topic Re: How do I edit my timechart search with timewrap to compare the latest 2 hours with the same 2 hours 3 days ago? in All Apps and Add-ons

How do I edit my timechart search with timewrap to compare the latest 2 hours with the same 2 hours 3 days ago?

mattusr — Fri, 11 Dec 2015 16:09:21 GMT

Hello,

Sorry if this has been answered before, however, I am struggling with a search that I am trying to build.

The ideal result that I am trying to achieve is the following:

I want a time chart to display the last two hours for a field like duration. In addition to showing the last two hours, I want it to show the same hours, but for the previous 3 days. Therefore, I want to compare the recent/latest two hours with those of the previous days.

I thought I could achieve this with the timewrap app, but I am struggling to write the search

index="main" 
[stats count | eval earliest="-4d" | fields earliest]
[stats count | eval latest="now" | fields latest] 
| timechart avg(duration)
| timewrap d

Please let me know if I have not provided enough information.

Re: How do I edit my timechart search with timewrap to compare the latest 2 hours with the same 2 hours 3 days ago?

Richfez — Sat, 12 Dec 2015 03:07:48 GMT

I have reworked a few things, but try this.

NOTE that I have a gap in MY events (it's just my test/home system) from 96 to 98 hours ago, so I had to use a somewhat different time frame then adjust it back - it MAY take a little tweaking to get just right but I think this is it:

index="main" earliest=-98h@h latest=-96h@h 
| append [search index="main" earliest=-2h@h latest=@h]
| timechart span=2h count 
| timewrap h series=short 
| eval percent_difference = 's1'/'s-95'*100 
| rename s-95 AS 4_days_ago s1 AS today

The big difference is I use the hourly timeframe of -96 to -98 hours ago for my "4 days ago" - so I'm taking now - 4 days (snapped to the hour) as my latest, then going back 2 more hours so that I have the most "aligned" time frame, then appending to that data that from the last 2 hours (also snapped to the hour to make the match as good as possible).

Then I timechart it into 2h chunks, then timewrap it by hours (not days - days will separate these out onto two lines for reasons to lengthy even for me to get into here) to get your two fields. I tossed in, free of any extra charge, a freebie that finds the percentage difference between the two sums, so lucky you! Then I just rename some things.

BTW, no guarantees this will not be off by an hour during the 4 days the 4-day period involved spans a daylight savings time change. In fact, I know the "96 hours ago" will be off by one hour during those few days. Not sure how to fix that easily.

There are other methods available, but I think because of the small time frames so widely separated that this is better than most of the others.

Re: How do I edit my timechart search with timewrap to compare the latest 2 hours with the same 2 hours 3 days ago?

mattusr — Tue, 29 Sep 2020 08:18:59 GMT

Hi,

Thank you so much for a response, I have been away so finally got to test in our production environment.

I am struggling with the search.

To make it clearer would you be able to incorporate the following into your example

Trying to timechart field (time_taken) and want to timechart the average so avg(time_taken)

Hope this make sense!

Thanks

Re: How do I edit my timechart search with timewrap to compare the latest 2 hours with the same 2 hours 3 days ago?

Richfez — Wed, 04 Jan 2017 01:07:08 GMT

I just saw this comment - nearly a year later! Sorry!

I am not quite sure I follow, though perhaps I do but don't understand how it would work. Still, if I had to make a guess try changing the timechart in the above to

timechart sum(time_taken) as total_time_taken, avg(time_taken) as avg_time_taken

Then just follow on with everything else. There are sure to be other minor adjustments, but that should get you started.

If that's not what you need, and you need this question still answered, please reply back with more information!

On the other hand, if this is resolved now and if this helped you significantly, please "Accept" the answer. If this is resolved but my answer didn't help a whole lot, it would be great if you could post your own answer then mark that one accepted!

Thanks,
Rich

Re: How do I edit my timechart search with timewrap to compare the latest 2 hours with the same 2 hours 3 days ago?

colinmchugo — Wed, 12 Jul 2017 15:15:33 GMT

Hi lads,

I am trying to do a timechart for multiple panels showing trendlines. So at the end of most of my panels i am just counting the count using stats count. I want to show the difference between this reading in the last 12 hours with the previous day or something that will show me that my calculations in parameters and so i know if the log files goes down etc. thanks