topic Re: how can I compare the last week vs 3 hours of data in Splunk Enterprise

How can I compare the last week vs 3 hours of data?

uagraw01 — Thu, 26 May 2022 16:46:58 GMT

Hello Splunkers!!

Can you help me understand that how can I compare the last week vs 3 hours of data in Splunk.
Previously I have compared the current week and previous week of data by using the timewrap command but last week vs 3 hours in creating confusion for me. Please provide me the solution and suggestion.

Below screenshot belongs to Newrelic.

Re: how can I compare the last week vs 3 hours of data

ITWhisperer — Thu, 26 May 2022 06:37:22 GMT

index=your_index ((earliest=@m-3h latest=@m) OR (earliest=@m-3w-3h latest=@m-3w)) | eval time=date_hour.":".date_minute | chart count by time date_mday

Re: how can I compare the last week vs 3 hours of data

uagraw01 — Thu, 26 May 2022 07:39:50 GMT

@ITWhisperer Thanks for your reply on this. But that is not giving me the correct result.

Can we use this SPL ?

Re: how can I compare the last week vs 3 hours of data

ITWhisperer — Thu, 26 May 2022 08:01:22 GMT

Not really - with your search, your x-axis will be the time in epoch format i.e. full date and time, so your two lines will not overlap as you would like.

Re: how can I compare the last week vs 3 hours of data

uagraw01 — Thu, 26 May 2022 08:56:49 GMT

@ITWhisperer

You search giving this kind of visualization. Can you please to make more corrective on this.

Re: how can I compare the last week vs 3 hours of data

ITWhisperer — Thu, 26 May 2022 09:03:49 GMT

What would you like to change about it?

Re: how can I compare the last week vs 3 hours of data

uagraw01 — Thu, 26 May 2022 09:07:41 GMT

@ITWhisperer Like the span in the x-axis would be like 30 mins if we the graph of the NewRelic which i have attached in my first screenshot.

Re: how can I compare the last week vs 3 hours of data

ITWhisperer — Thu, 26 May 2022 09:21:50 GMT

The graphic you shared doesn't use a span of 30 minutes as there are multiple points within each 30 minute period across your 3 hour graph.

Do you want a point for each 30 minute period (span=30m) or a point for each minute?

Re: how can I compare the last week vs 3 hours of data

uagraw01 — Thu, 26 May 2022 10:00:18 GMT

@ITWhisperer I am confusing with this timeframe "

((earliest=@m-3h latest=@m) OR (earliest=@m-1w-3h latest=@m-3w)) "

Can you please help me explain this ?

And other than this can we use the time wrap command approach ?

Re: how can I compare the last week vs 3 hours of data

ITWhisperer — Thu, 26 May 2022 10:07:26 GMT

Your initial search (the line that starts with index=) will normally be over a timeframe defined by the earliest and latest options either in the dashboard or timepicker if in search app.

This can be overridden by defining earliest and latest values as part of the search.

What this part is doing is overriding the timeframe with two timeframe so events will be kept if they fall into either timeframe.

This has the advantage over using the append approach that you used because append is using a subsearch and is therefore limited to the number of events it can process.

Re: how can I compare the last week vs 3 hours of data

uagraw01 — Thu, 26 May 2022 10:46:39 GMT

@ITWhisperer Can we use " (earliest=@m-1w-3h latest=@m-1w)) in place of below you have suggested

(earliest=@m-3w-3h latest=@m-3w))

I have chnaged 3W to 1W

Re: how can I compare the last week vs 3 hours of data

ITWhisperer — Thu, 26 May 2022 10:50:13 GMT

Yes, that should work (assuming your index retains data for that period)

Re: how can I compare the last week vs 3 hours of data

uagraw01 — Thu, 26 May 2022 10:58:21 GMT

@ITWhisperer Let me explore as suggested. I will let you know if any issue.

Thanks for your great help!!

Re: how can I compare the last week vs 3 hours of data

uagraw01 — Thu, 26 May 2022 13:19:06 GMT

@ITWhisperer I have used your suggested query. But here you can see the yellow highlighted one which is showing 26 day of data as well as 5 day of the data. Here I want last 7 days of the data with comparison of last 3 hours of data. I think we need to modify some changes here "(earliest=@m-3w-3h latest=@m-3w)". Please help me to fix this.

Re: how can I compare the last week vs 3 hours of data

ITWhisperer — Thu, 26 May 2022 13:24:56 GMT

26 is 26th of the month - 5 is the 5th of the month - these are 3 weeks apart.

I am not sure what you are trying to compare - do you want the last 3 hours and the same time of day for a day 3 weeks ago or something else?

Re: how can I compare the last week vs 3 hours of data

uagraw01 — Thu, 26 May 2022 13:34:23 GMT

@ITWhisperer Here I just want to compare a trend for last three hours with complete 1 week ago.

Que : do you want the last 3 hours and the same time of day for a day 3 weeks ago :?

Ans : No

Re: how can I compare the last week vs 3 hours of data

ITWhisperer — Thu, 26 May 2022 17:09:48 GMT

So what do you expect to be measured by the x-axis?

Re: how can I compare the last week vs 3 hours of data

uagraw01 — Thu, 26 May 2022 17:24:11 GMT

@ITWhisperer I want the last 3 hours and the same time for a day 1 week ago.

Re: how can I compare the last week vs 3 hours of data

ITWhisperer — Thu, 26 May 2022 17:28:01 GMT

((earliest=@m-3h latest=@m) OR (earliest=@m-1w-3h latest=@m-1w))