topic Re: How to create a week over week chart comparison from current time in Splunk Search

How to create a week over week chart comparison from current time

craighawk — Fri, 24 Aug 2012 23:09:31 GMT

index=data du= host= | timechart count by opp

index=data du= host=

I am useing version 4.3.2, build 123586

I have been trying to figure out how to make a chart with the current day/time compared to one week ago same day and time.

I have left out the dozens of variations I've tried to spare other newbies like myself the frustration of working through them only to find they didn't work.

** I used "all" since the asterisk wasn't being displayed.

Re: How to create a week over week chart comparison from current time

craighawk — Mon, 28 Sep 2020 12:20:03 GMT

Getting strange output and no legend stating "today" and "yesterday".

** 'du' values are different integers.

Re: How to create a week over week chart comparison from current time

craighawk — Sat, 25 Aug 2012 00:41:39 GMT

And it isn't showing up on a fancy chart like in the examples:

http://blogs.splunk.com/2012/02/19/compare-two-time-ranges-in-one-report/

Re: How to create a week over week chart comparison from current time

kallu — Sun, 26 Aug 2012 09:13:17 GMT

How does your data look? If you already have "du" -field in it I don't see any need for "multikv" -commands in your search. Also in your original example you were counting number of events by opp(?) but then you have changed it to be hourly average of du -field. Was this done on purpose? Does your search/charting work for today and week-ago if you run them separately?

Re: How to create a week over week chart comparison from current time

jonuwz — Sun, 26 Aug 2012 18:02:30 GMT

Something like this maybe, it doesn't take into account timezone changes, leap years etc.

index=_internal sourcetype=splunkd eps > 0 | addinfo 
| eval date_wnum=strftime(_time, "%V") 
| eval date_wnum_now=strftime(info_max_time, "%V")
| eval _time=_time+(date_wnum_now-date_wnum)*86400*7  
| eval date_wnum=if(date_wnum==date_wnum_now,"This week",(date_wnum_now-date_wnum)." weeks ago")
| bin _time span=1h
| chart avg(eps) over _time by date_wnum
| makecontinuous _time

It works by shifting previous weeks data into this week, but tagging it as "X weeks ago"
I use chart instead of timechart because timechart would plot the entire date range in the search, but because everything is timeshifted, all the data would be crammed at the end of the chart.

You need | makecontinuous _time

So that the JSchart prints reasonable 'time' values, instead of XML stype time values.

Re: How to create a week over week chart comparison from current time

craighawk — Mon, 27 Aug 2012 21:26:31 GMT

Great, that looks like it works! Thanks a lot.

Re: How to create a week over week chart comparison from current time

craighawk — Mon, 28 Sep 2020 12:20:38 GMT

Hello Kallu, I was able to get my question answered. This worked for me:

Re: How to create a week over week chart comparison from current time

chris_lewis — Thu, 16 May 2013 14:16:47 GMT

How would you achieve the same results but on the same x axis? So that the X axis just had the day of the week -> mon,tues,weds

and then have numerous lines for this week and 1 week ago?

That would be a lot better.

Re: How to create a week over week chart comparison from current time

lakromani — Mon, 06 Mar 2017 08:12:09 GMT

An old thread, but Splunk has now a better way to do this, using Timewrap
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Timewrap

Try this:

index=_internal sourcetype=splunkd eps>0 earliest=-1mon latest=now
| timechart avg(eps) span=1h 
| timewrap 1w