https://community.splunk.com/t5/Splunk-Enterprise/line-chart-comparison-between-yesterday-and-todays-data/m-p/671686#M18110 <P>Hi,</P><P>I have requirement to show the line chart comparison between todays count vs previous day. And, I have below SPL but&nbsp;<SPAN>we see the data from yesterday and today, and each graph line is separate.</SPAN></P><P><SPAN>&nbsp;I want to see the lines together, one superimposed on the other. please could you suggest?</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="selvam_sekar_2-1702462177610.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/28480iE18E69BA6CA34144/image-size/medium?v=v2&amp;px=400" role="button" title="selvam_sekar_2-1702462177610.png" alt="selvam_sekar_2-1702462177610.png" /></span></P><P>&nbsp;</P><P>please can you suggest to compare them?</P><P><STRONG>Current SPL:&nbsp;</STRONG>&nbsp;</P><P>basesearch earliest=-1d@d latest=now<BR />| eval Day=if(_time&lt;relative_time(now(),"@d"),"Yesterday","Today")<BR />| timechart span=15m count by Day</P><P><STRONG>Current visualization:</STRONG></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="selvam_sekar_0-1702461940437.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/28478i713DB272CAEECCAF/image-size/medium?v=v2&amp;px=400" role="button" title="selvam_sekar_0-1702461940437.png" alt="selvam_sekar_0-1702461940437.png" /></span></P><P><STRONG>Expected visualization&nbsp;is:</STRONG></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="selvam_sekar_1-1702462074024.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/28479i2F82D9A4445C5346/image-size/medium?v=v2&amp;px=400" role="button" title="selvam_sekar_1-1702462074024.png" alt="selvam_sekar_1-1702462074024.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P> Wed, 13 Dec 2023 10:11:15 GMT selvam_sekar 2023-12-13T10:11:15Z https://community.splunk.com/t5/Splunk-Enterprise/line-chart-comparison-between-yesterday-and-todays-data/m-p/671686#M18110 <P>Hi,</P><P>I have requirement to show the line chart comparison between todays count vs previous day. And, I have below SPL but&nbsp;<SPAN>we see the data from yesterday and today, and each graph line is separate.</SPAN></P><P><SPAN>&nbsp;I want to see the lines together, one superimposed on the other. please could you suggest?</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="selvam_sekar_2-1702462177610.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/28480iE18E69BA6CA34144/image-size/medium?v=v2&amp;px=400" role="button" title="selvam_sekar_2-1702462177610.png" alt="selvam_sekar_2-1702462177610.png" /></span></P><P>&nbsp;</P><P>please can you suggest to compare them?</P><P><STRONG>Current SPL:&nbsp;</STRONG>&nbsp;</P><P>basesearch earliest=-1d@d latest=now<BR />| eval Day=if(_time&lt;relative_time(now(),"@d"),"Yesterday","Today")<BR />| timechart span=15m count by Day</P><P><STRONG>Current visualization:</STRONG></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="selvam_sekar_0-1702461940437.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/28478i713DB272CAEECCAF/image-size/medium?v=v2&amp;px=400" role="button" title="selvam_sekar_0-1702461940437.png" alt="selvam_sekar_0-1702461940437.png" /></span></P><P><STRONG>Expected visualization&nbsp;is:</STRONG></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="selvam_sekar_1-1702462074024.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/28479i2F82D9A4445C5346/image-size/medium?v=v2&amp;px=400" role="button" title="selvam_sekar_1-1702462074024.png" alt="selvam_sekar_1-1702462074024.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P> Wed, 13 Dec 2023 10:11:15 GMT https://community.splunk.com/t5/Splunk-Enterprise/line-chart-comparison-between-yesterday-and-todays-data/m-p/671686#M18110 selvam_sekar 2023-12-13T10:11:15Z https://community.splunk.com/t5/Splunk-Enterprise/line-chart-comparison-between-yesterday-and-todays-data/m-p/671698#M18111 <P>Hi</P><P>have you look <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Timewrap" target="_self">timewrap</A> command?</P><P>You could try something like&nbsp;</P><LI-CODE lang="markup">basesearch earliest=-1d@d latest=now | timechart span=15m count | timewrap d </LI-CODE><P>Your result shows little bit weird as yesterday you have a whole day, but today is only from midnight to now.</P><P>r. Ismo&nbsp;</P> Wed, 13 Dec 2023 11:01:18 GMT https://community.splunk.com/t5/Splunk-Enterprise/line-chart-comparison-between-yesterday-and-todays-data/m-p/671698#M18111 isoutamo 2023-12-13T11:01:18Z https://community.splunk.com/t5/Splunk-Enterprise/line-chart-comparison-between-yesterday-and-todays-data/m-p/671765#M18119 <P>Thanks&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/214410">@isoutamo</a>&nbsp;. How do we get the comparison between today vs yesterday with some time line.</P> <P>Currently I am getting yesterday whole day(24 hrs) but today midnight to upto now.&nbsp;</P> <P>&nbsp;</P> <P>is it possible for us to bring only today (midnight till now) vs same timeframe previous day in the chart?</P> <P>Current SPL:</P> <LI-CODE lang="markup">basesearch earliest=-1d@d latest=now | timechart span=1h count | timewrap d series=short | fields _time s1 s0 | rename s1 as today, s0 as yesterday</LI-CODE> Wed, 13 Dec 2023 17:00:23 GMT https://community.splunk.com/t5/Splunk-Enterprise/line-chart-comparison-between-yesterday-and-todays-data/m-p/671765#M18119 selvam_sekar 2023-12-13T17:00:23Z https://community.splunk.com/t5/Splunk-Enterprise/line-chart-comparison-between-yesterday-and-todays-data/m-p/671768#M18120 <P>Maybe not exactly what you are looking, but at least you could cleared out (set to 0) those events like</P><LI-CODE lang="markup">basesearch earliest=-1d@d latest=now | eval takeIn = case (_time&gt;=relative_time(now(),"@d") ,"take", _time&lt;=relative_time(now(), "-1d"), "take", true(), "drop") | where takeIn = "take" | timechart span=1h count | timewrap d series=short | fields _time s1 s0 | rename s1 as today, s0 as yesterday</LI-CODE> Wed, 13 Dec 2023 17:20:50 GMT https://community.splunk.com/t5/Splunk-Enterprise/line-chart-comparison-between-yesterday-and-todays-data/m-p/671768#M18120 isoutamo 2023-12-13T17:20:50Z https://community.splunk.com/t5/Splunk-Enterprise/line-chart-comparison-between-yesterday-and-todays-data/m-p/672028#M18141 <P>Thanks&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/214410">@isoutamo</a>&nbsp;. This works as expected <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> and only thing is not grouping the the user_id but rather it's grouping by timeformat/_time every 1 hr.</P> <P>&nbsp;</P> <P>is it possible to group by user_id?</P> <P>current spl:</P> <LI-CODE lang="markup">base search | rex user_id | eval takeIn = case (_time&gt;=relative_time(now(),"@d") ,"take", _time&lt;=relative_time(now(), "-1d"), "take", true(), "drop") | where takeIn = "take" | timechart span=1h count | timewrap d series=short | fields _time s1 s0 | rename s1 as today, s0 as yesterday | where today !=""</LI-CODE> Fri, 15 Dec 2023 15:29:16 GMT https://community.splunk.com/t5/Splunk-Enterprise/line-chart-comparison-between-yesterday-and-todays-data/m-p/672028#M18141 selvam_sekar 2023-12-15T15:29:16Z