topic Re: How do we specify same day last week in Getting Data In

How do we specify same day last week

xvxt006 — Wed, 17 Apr 2013 03:16:58 GMT

Hi,

i want to compare the traffic from today to the traffic from the same day a week back.

in the time range i have -7d@h in the from filed and left empty in the to field. Also my query is like this ....| stats count by date_hour

I don't think i am getting right stats. When i verified the same search query using custom time frame (for the same day last week) i am getting different counts. Any suggestions?

Re: How do we specify same day last week

kristian_kolb — Wed, 17 Apr 2013 04:41:46 GMT

well, date_hour can be wrong! Especially if you're pulling logs from more than one TZ.

_time gets the value adjusted for TZ - what you see to the left of each event.
date_hour is the hour from within the event itself.

With _time you can make searches like "what happened in the last 15 mins, across all timezones"
With date_* you can with a single search that asks questions like "who was logging on after 8.00, in their respective TZ". (Dont forget to use a wide enough timespan in the search though).

Other than that, have you looked at the DeploymentMonitor app. It contains searches that compare statistics for 'now' and 'same day/hour last week'. You could possibly gain some insights from looking at them.

Also, there is a blog post on the subject;

http://blogs.splunk.com/2012/02/19/compare-two-time-ranges-in-one-report/

Hope this helps,

Kristian

Re: How do we specify same day last week

xvxt006 — Wed, 17 Apr 2013 14:15:03 GMT

Thank you Kristian for your help. This is very useful.

Re: How do we specify same day last week

carasso — Fri, 06 Dec 2013 21:31:43 GMT

Comparing week-over-week results used to a pain in Splunk, with complex date calculations. No more. Now there is a better way.

I wrote a convenient search command called "timewrap" that does it all, for arbitrary time periods.

... | timechart count span=1h | timewrap w

That's it!

If you want to limit it to a specific day of the week, add:

... | where strftime(_time, "%A") == "Wednesday"

http://apps.splunk.com/app/1645/

Re: How do we specify same day last week

MayankChandra — Mon, 23 Aug 2021 22:25:58 GMT

@kristian_kolb Suppose we want splunk to evaluate yesterday's day on its own and we dont mention specific day of the week like "Wednesday" and then use yesterday's day of week to compare data with same day of week for last 2 weeks, how we can achieve that?