topic Re: Comparing time ranges one report in Dashboards & Visualizations

Comparing time ranges one report

lspringer — Fri, 28 Sep 2012 21:20:03 GMT

I'm trying to get Thursday of this week compared with Thursday of last week and have the values overlay in a stack graph.

Using the following search, based off this link, I'm not able to get the data to overlap I can only get it working side by side.

source="Perfmon:CPU Load" counter="% Processor Time" host="SERVER01" earliest=-1d@d latest=-0d@d 
| eval ReportKey="this week" 
| append maxtime=600 [search source="Perfmon:CPU Load" counter="% Processor Time" host="SERVER01" earliest=-8d@d latest=-7d@d
   | eval _time=_time+60*60*24*7 
   | eval ReportKey="last week"] 
| timechart span=5m avg(Value) by ReportKey

What am I missing?

Splunk Version 4.3.3

Re: Comparing time ranges one report

lguinn2 — Sun, 30 Sep 2012 19:10:00 GMT

What you have looks right. I have two ideas:

First, there are some versions of Splunk that do not happily let you re-compute _time in a subsearch. So, recompute it in the main search as follows:

source="Perfmon:CPU Load" counter="% Processor Time" host="SERVER01" earliest=-1d@d latest=-0d@d 
| eval ReportKey="this week" 
| append maxtime=600 [search source="Perfmon:CPU Load" counter="% Processor Time" host="SERVER01" earliest=-8d@d latest=-7d@d
   | eval ReportKey="last week"] 
| eval _time=if(ReportKey=="last week",_time+60*60*24*7,_time)
| timechart span=5m avg(Value) by ReportKey

Option #2 - Don't use a subsearch. This can get around other problems, such as very large datasets. (Although you might want to also consider summary indexing if your search runs for a long time.) It might also help with this problem.

source="Perfmon:CPU Load" counter="% Processor Time" host="SERVER01" earliest=-8d@d latest=-0d@d 
| eval ReportKey="deleteThisEvent"
| eval ReportKey=if(_time<=relative_time(now(),"-7d@d"),"SameDayLastWeek",ReportKey)
| eval ReportKey=if(_time>=relative_time(now(),"-1d@d"),"Yesterday",ReportKey)
| where ReportKey!="deleteThisEvent"
| eval _time=if(ReportKey=="last week",_time+60*60*24*7,_time)
| timechart fixedrange=false span=5m avg(Value) by ReportKey

The earliest means pick 8 days ago all the way up to yesterday at midnight.
The first eval computes the full day of 7 days ago because of the earliest setting -7d@d up to -8d@d
The second eval computes yesterday up to midnight because of the latest setting -1d@d up to -0d@d
The rest "deleteThisEvent" gets rid of everything outside of those boundaries.

Re: Comparing time ranges one report

lspringer — Mon, 01 Oct 2012 17:14:08 GMT

The first option was successful. Thanks!

Re: Comparing time ranges one report

fedayn — Fri, 12 Apr 2013 08:53:58 GMT

Hi,

My report is quite simirlar to this one but my idea is to build a timechart for the Domain user account lock outs from two days.

The idea is to compare the user account lockouts (Event ID 644) difference between yesterday and today.

I created the search but something goes wrong as I get less matchings than running the search separately.

sourcetype="WinEventLog:Security" EventCode="644" earliest=-0d@d latest=now | eval ReportKey="today" | append [search sourcetype="WinEventLog:Security" EventCode="644" earliest=-1d@d latest=-0d@d | eval ReportKey="yesterday"] | eval _time=if(ReportKey=="yesterday",_time+86400,_time) | timechart span=120m c(EventCode) by ReportKey

Thank you.

Re: Comparing time ranges one report

fedayn — Mon, 15 Apr 2013 11:47:41 GMT

Any help with this, please.

Re: Comparing time ranges one report

lspringer — Thu, 18 Apr 2013 16:20:40 GMT

Make sure you are being timed out by a auto-finalized subsearch.

Try:

append maxtime=600[search sourcetype="WinEventLog:Security" EventCode="644" earliest=-1d@d latest=-0d@d

Re: Comparing time ranges one report

lguinn2 — Mon, 22 Apr 2013 17:46:09 GMT

May I suggest that you open a different thread if you have a different problem? The original question is marked as "Answered" and that means that no one is expecting to find more questions here.

That said, the following may help:

The default number of results from a subsearch is 100; the maximum is 10499. To increase the number of results above the default of 100, you can edit limits.conf or use the format command.
My guess is that this is your problem. More info at the following link

http://docs.splunk.com/Documentation/Splunk/5.0.2/Search/Aboutsubsearches

Re: Comparing time ranges one report

carasso — Fri, 06 Dec 2013 21:19:03 GMT

Comparing week-over-week results is a pain in Splunk. You have to do absurd math for crazy date calculations. No more. Now there is a better way.

I wrote a convenient search command called "timewrap" that does it all, for arbitrary time periods.

http://apps.splunk.com/app/1645/

Re: Comparing time ranges one report

carasso — Fri, 06 Dec 2013 21:47:20 GMT

Comparing week-over-week results used to a pain in Splunk, with complex date calculations. No more. Now there is a better way.

I wrote a convenient search command called "timewrap" that does it all, for arbitrary time periods.

source="Perfmon:CPU Load" counter="% Processor Time" host="SERVER01" earliest=-1d@d latest=-0d@d 
| timechart avg(Value) span=1h 
| timewrap w 
| where strftime(_time, "%A") == "Thursday"

That's it!

http://apps.splunk.com/app/1645/

Re: Comparing time ranges one report

rdeloach — Tue, 30 Aug 2016 14:28:52 GMT

Can you use timewrap to populate a single value visualization with trend indicator? For instance I want the last 7 days to populate the single value and the week before that to be fed into the trend indicator.

Re: Comparing time ranges one report

landen99 — Mon, 07 Aug 2017 18:22:59 GMT

Here is a much more elegant solution which can plot all days on the same day in timechart and does not require the use of an app:

| eval series=strftime(_time, "%m-%d") | eval time_delta=(now-_time)/86400,time_day=ceiling(time_delta),_time=_time+time_day*86400 | eval day=case(time_day=0,"Today",time_day=1,"Yesterday",time_day=8,"SD last week") | timechart fixedrange=false sum(count) by day

This allows you to plot any time range by series or to assign nice names in the case statement to each day based on its relation to the current time/day. 86400 is the number of seconds in a day.