topic Re: Compare x hours vs last 1 week ago in Splunk Search

Compare x hours vs last 1 week ago

uagraw01 — Wed, 07 Sep 2022 08:12:50 GMT

@ITWhisper As per the Below Screenshot I want to add Custom time frame. Where user can able to select any time frame and compare the results.

Please help to understand the logic.

Re: Compare x hours vs last 1 week ago

ITWhisperer — Wed, 07 Sep 2022 09:59:18 GMT

One way to do this is to have the corresponding string as the value for each of the labels in your custom time range selector. For example: last 15 minutes might have a value of "((earliest=@m-15m latest=@m) OR (earliest=@m-1w-15m latest=@m-1w))", then you just use the token in your search instead of the current setting

Re: Compare x hours vs last 1 week ago

uagraw01 — Wed, 07 Sep 2022 10:06:48 GMT

@ITWhisperer As per below Where I need to use the token.

My Current SPL is Like :

index=ecomm_sfcc_prod sourcetype=sfcc_logs source="/mnt/webdav/*.log" "Order created successfully" $country_s1$ ((earliest=@m-$earliest_tok$ latest=@m) OR (earliest=@m-6d-$earliest_tok$ latest=@m-6d))
| rex field=_raw "Payment\s+Method\:\s(?<Payment_Method>[A-Za-z0-9.+]+)"
| rex field=_raw "Device\sType\:\s+(?<Device_Type>[A-Za-z0-9.+]+)"
| eval Device_Type=upper(Device_Type)
| search Device_Type="$Device_t$"
| eval date_hour=strftime(_time, "%H:%M%p %Z")
| eval time=date_hour
| eval date=date_month.":".date_mday
| chart count by time date

Current XML setting :

<input type="radio" token="period_tok" searchWhenChanged="true">
<label>Select a time range</label>
<choice value="5m">Last 5 minute</choice>
<choice value="15m">Last 15 minute</choice>
<choice value="60m">Last 60 Minute</choice>
<choice value="3h">Last 3 hours</choice>
<choice value="6h">Last 6 hours</choice>



<change>
<condition label="Last 60 Minute">
<set token="date_label">Last 60 minutes</set>
<set token="earliest_tok">$value$</set>
</condition>
<condition label="Last 6 hours">
<set token="date_label">Last 6 hours</set>
<set token="earliest_tok">$value$</set>
</condition>
<condition label="Last 3 hours">
<set token="date_label">Last 3 hours</set>
<set token="earliest_tok">$value$</set>
</condition>
<condition label="Last 5 minute">
<set token="date_label">Last 5 minutes</set>
<set token="earliest_tok">$value$</set>
</condition>
<condition label="Last 15 minute">
<set token="date_label">Last 15 minutes</set>
<set token="earliest_tok">$value$</set>
</condition>

Re: Compare x hours vs last 1 week ago

ITWhisperer — Wed, 07 Sep 2022 10:21:02 GMT

Does what you are doing not already work?

Setting earliest_tok is a bit superfluous as the value is already available in period_tok

index=ecomm_sfcc_prod sourcetype=sfcc_logs source="/mnt/webdav/*.log" "Order created successfully" $country_s1$ ((earliest=@m-$period_tok$ latest=@m) OR (earliest=@m-6d-$period_tok$ latest=@m-6d)) | rex field=_raw "Payment\s+Method\:\s(?<Payment_Method>[A-Za-z0-9.+]+)" | rex field=_raw "Device\sType\:\s+(?<Device_Type>[A-Za-z0-9.+]+)" | eval Device_Type=upper(Device_Type) | search Device_Type="$Device_t$" | eval date_hour=strftime(_time, "%H:%M%p %Z") | eval time=date_hour | eval date=date_month.":".date_mday | chart count by time date

Re: Compare x hours vs last 1 week ago

uagraw01 — Wed, 07 Sep 2022 10:32:54 GMT

@ITWhisperer My previous token "earliest_tok" worked fine no issue I have faced, Here I am 5 custom time frame selector. As per the user he wants custom time frame from where he can select any time. Like 2 hours, 3 hours, 6 hours, 7 hours. Because Its tedious for me create multiple Time frames selector.

Re: Compare x hours vs last 1 week ago

ITWhisperer — Wed, 07 Sep 2022 10:35:43 GMT

You could just have a text input where the user puts 2h or 3h etc?

Re: Compare x hours vs last 1 week ago

uagraw01 — Wed, 07 Sep 2022 10:38:31 GMT

@ITWhisperer Can't we Create this time of time frame with the custom ones.

Re: Compare x hours vs last 1 week ago

uagraw01 — Wed, 07 Sep 2022 10:40:11 GMT

Can't we Create this time of time frame with the custom ones.

Re: Compare x hours vs last 1 week ago

ITWhisperer — Wed, 07 Sep 2022 10:54:18 GMT

How would that work if the user selected previous year, for example? What about "All time"? What about using the advanced setting? You probably need to think this through and decide / agree with your user what the precise requirement is.

Re: Compare x hours vs last 1 week ago

uagraw01 — Wed, 07 Sep 2022 11:52:04 GMT

@ITWhisperer I will verify with them.

Thanks for all your support