topic Re: help to compare 2 single panel value between 2 different times but between the same hour in Splunk Enterprise

How to compare 2 single panel value between 2 different times but between the same hour?

jip31 — Mon, 13 Jun 2022 19:58:58 GMT

hello

In my dashboard, I need to compare 2 single panel value between 2 different times

The first single panel stats the events on the last 15 minutes like this

| stats max(sys_session_count) as session by host | stats sum(session) as session | table session

Now, what I need to do is to compare this current single panel value with the results one week before during the same slot time

For example, today is the 13 of June and the current hour is 8:15 AM

So in the second single panel, I need to display result for the 6 of June at 8:15

Here is what I am doing

But I think it's not good because whatever the time is (8:15, 8:30, 8:45...), the results is almot the same

So is anybody have an idea in order to answer to my need correctly?

thanks

Re: help to compare 2 single panel value between 2 different times but between the same hour

ITWhisperer — Mon, 13 Jun 2022 06:56:17 GMT

What do you mean almost the same? Have you checked the results from 7 days ago?

Re: help to compare 2 single panel value between 2 different times but between the same hour

jip31 — Mon, 13 Jun 2022 07:37:43 GMT

Except if I am mistaken, the relative time in the search annihilate the time picker choice

Re: help to compare 2 single panel value between 2 different times but between the same hour

ITWhisperer — Mon, 13 Jun 2022 07:39:56 GMT

Yes, setting earliest and latest as you have done means that the timepicker is not used.

Re: help to compare 2 single panel value between 2 different times but between the same hour

jip31 — Thu, 16 Jun 2022 09:46:34 GMT

So for answering your question it changes anything....

Re: How to compare 2 single panel value between 2 different times but between the same hour?

jip31 — Fri, 17 Jun 2022 04:38:34 GMT

Is anybody can help please?

Re: How to compare 2 single panel value between 2 different times but between the same hour?

ITWhisperer — Fri, 17 Jun 2022 05:39:51 GMT

OK I'll ask again. What do you mean by almost the same?

Can you give some examples of the results you are getting and explain why they are not what you expect them to be?

Re: How to compare 2 single panel value between 2 different times but between the same hour?

jip31 — Fri, 17 Jun 2022 13:49:54 GMT

Please forget "almost the same"

Concerning my needs :

In a first search, I sum the number of session on the last 15 minutes like below

<dashboard refresh="60"> <label>XX</label> <search id="session"> <query>`index` sourcetype="system" </query> <refresh>10s</refresh> <refreshType>delay</refreshType> <earliest>-15m</earliest> <latest>now</latest> </search> <row> <panel> <single> <search base="session"> <query>| stats max(sys_session_count) as session by host | stats sum(session) as session | table session

Now, I need to do the same thing 7 days before the current day

So here is what I doing

`index` sourcetype="system" earliest=-7d@h latest=-7d@h+15m | stats max(sys_session_count) as session by host | stats sum(session) as session | table session

But it seems that earliest=-7d@h latest=-7d@h+15m dont display events on the last 15m compared to the current time

what I exactly need in this second search is to sum the number of session 7 days ago and on the last 15 minutes only

so I am looking for the best way to do this please

Re: How to compare 2 single panel value between 2 different times but between the same hour?

ITWhisperer — Fri, 17 Jun 2022 14:29:06 GMT

Shouldn't this be

sourcetype="system" earliest=-7d@m-15m latest=-7d@m