https://community.splunk.com/t5/Getting-Data-In/multiple-searches-in-one-graph/m-p/96654#M20143 <P>I have read it and came up with this:<BR /> host="stats" earliest=-0d@d latest=now | xmlkv | eval ReportKey="today" | append [ search host="stats" earliest=-1d@d latest=-0d@d | xmlkv | eval ReportKey="yesterday" | eval _time=_time+86400 ] | timechart span=10m max(usersCount) by ReportKey</P> <P>however, the graph does not look right - it shows all of today and then a small portiion of yesterday AFTER today instead in parallel</P> Mon, 28 Sep 2020 12:04:12 GMT nirt 2020-09-28T12:04:12Z https://community.splunk.com/t5/Getting-Data-In/multiple-searches-in-one-graph/m-p/96652#M20141 <P>Hi,<BR /> I need to create a graph that contains 2 searches, to compare today's search and last week's search<BR /> I know there are lot of guides here that explain how to do it, however I'm quite a new splunk user and have tried for the past hours to try and get the graph to show properly however I was not able to product such working search<BR /> I was wondering if you guys could assist me in creating such search<BR /> My common search is as following:<BR /> host="stats" | xmlkv | timechart max(usersCount)</P> <P>Thank you guys in advance</P> Thu, 12 Jul 2012 12:37:19 GMT https://community.splunk.com/t5/Getting-Data-In/multiple-searches-in-one-graph/m-p/96652#M20141 nirt 2012-07-12T12:37:19Z https://community.splunk.com/t5/Getting-Data-In/multiple-searches-in-one-graph/m-p/96653#M20142 <P>Have you read through this? It gives a detailed walk through of one way to do it?</P> <P><A href="http://blogs.splunk.com/2012/02/19/compare-two-time-ranges-in-one-report/">http://blogs.splunk.com/2012/02/19/compare-two-time-ranges-in-one-report/</A></P> Thu, 12 Jul 2012 13:30:28 GMT https://community.splunk.com/t5/Getting-Data-In/multiple-searches-in-one-graph/m-p/96653#M20142 sdaniels 2012-07-12T13:30:28Z https://community.splunk.com/t5/Getting-Data-In/multiple-searches-in-one-graph/m-p/96654#M20143 <P>I have read it and came up with this:<BR /> host="stats" earliest=-0d@d latest=now | xmlkv | eval ReportKey="today" | append [ search host="stats" earliest=-1d@d latest=-0d@d | xmlkv | eval ReportKey="yesterday" | eval _time=_time+86400 ] | timechart span=10m max(usersCount) by ReportKey</P> <P>however, the graph does not look right - it shows all of today and then a small portiion of yesterday AFTER today instead in parallel</P> Mon, 28 Sep 2020 12:04:12 GMT https://community.splunk.com/t5/Getting-Data-In/multiple-searches-in-one-graph/m-p/96654#M20143 nirt 2020-09-28T12:04:12Z https://community.splunk.com/t5/Getting-Data-In/multiple-searches-in-one-graph/m-p/96655#M20144 <P>In the tip you have posted it says there is an issue displaying all content of an append search for versions prior to 4.3.1, however I'm using 4.3.3 and still have that issue</P> <P>this search worked for me: compared yesterday to 2 days ago:<BR /> host="stats" earliest=-1d@d latest=-0d@d | xmlkv | eval ReportKey="today" | append maxtime=100 [ search host="stats" earliest=-2d@d latest=-1d@d | xmlkv | eval ReportKey="yesterday" | eval new_time=_time+86400] | eval _time=if(isnotnull(new_time), new_time, _time) | timechart span=10m max(usersCount) by ReportKey</P> Mon, 28 Sep 2020 12:05:23 GMT https://community.splunk.com/t5/Getting-Data-In/multiple-searches-in-one-graph/m-p/96655#M20144 nirt 2020-09-28T12:05:23Z https://community.splunk.com/t5/Getting-Data-In/multiple-searches-in-one-graph/m-p/96656#M20145 <P>I'm having problems showing the graph properly when comparing last week's day to today<BR /> Each graph shows independatly instead of together<BR /> the following search is being used:</P> <P>host="stats" earliest=-0d@d latest=+1d@d | xmlkv | eval ReportKey="today" | append maxtime=100 [ search host="stats" earliest=-7d@d latest=-6d@d | xmlkv | eval ReportKey="same day last week" | eval new_time=_time+86400] | eval _time=if(isnotnull(new_time), new_time, _time) | <BR /> timechart span=20m max(usersCount) by ReportKey</P> <P>also tried eval new_time=_time+60*60*24*7</P> <P>any ideas?</P> Mon, 28 Sep 2020 12:05:26 GMT https://community.splunk.com/t5/Getting-Data-In/multiple-searches-in-one-graph/m-p/96656#M20145 nirt 2020-09-28T12:05:26Z https://community.splunk.com/t5/Getting-Data-In/multiple-searches-in-one-graph/m-p/96657#M20146 <P><STRONG>Comparing week-over-week results used to a pain in Splunk, with complex date calculations. No more. Now there is a better way.</STRONG></P> <P>I wrote a convenient search command called "<A href="http://apps.splunk.com/app/1645/">timewrap</A>" that does it all, for arbitrary time periods.</P> <PRE><CODE>... | timechart count span=1d | timewrap w </CODE></PRE> <P>That's it!</P> <P><A href="http://apps.splunk.com/app/1645/">http://apps.splunk.com/app/1645/</A></P> Wed, 21 May 2014 19:01:47 GMT https://community.splunk.com/t5/Getting-Data-In/multiple-searches-in-one-graph/m-p/96657#M20146 carasso 2014-05-21T19:01:47Z