Hello,
Sorry if this has been answered before, however, I am struggling with a search that I am trying to build.
The ideal result that I am trying to achieve is the following:
I want a time chart to display the last two hours for a field like duration. In addition to showing the last two hours, I want it to show the same hours, but for the previous 3 days. Therefore, I want to compare the recent/latest two hours with those of the previous days.
I thought I could achieve this with the timewrap app, but I am struggling to write the search
index="main"
[stats count | eval earliest="-4d" | fields earliest]
[stats count | eval latest="now" | fields latest]
| timechart avg(duration)
| timewrap d
Please let me know if I have not provided enough information.
Hi lads,
I am trying to do a timechart for multiple panels showing trendlines. So at the end of most of my panels i am just counting the count using stats count. I want to show the difference between this reading in the last 12 hours with the previous day or something that will show me that my calculations in parameters and so i know if the log files goes down etc. thanks
I have reworked a few things, but try this.
NOTE that I have a gap in MY events (it's just my test/home system) from 96 to 98 hours ago, so I had to use a somewhat different time frame then adjust it back - it MAY take a little tweaking to get just right but I think this is it:
index="main" earliest=-98h@h latest=-96h@h
| append [search index="main" earliest=-2h@h latest=@h]
| timechart span=2h count
| timewrap h series=short
| eval percent_difference = 's1'/'s-95'*100
| rename s-95 AS 4_days_ago s1 AS today
The big difference is I use the hourly timeframe of -96 to -98 hours ago for my "4 days ago" - so I'm taking now - 4 days (snapped to the hour) as my latest, then going back 2 more hours so that I have the most "aligned" time frame, then appending to that data that from the last 2 hours (also snapped to the hour to make the match as good as possible).
Then I timechart it into 2h chunks, then timewrap it by hours (not days - days will separate these out onto two lines for reasons to lengthy even for me to get into here) to get your two fields. I tossed in, free of any extra charge, a freebie that finds the percentage difference between the two sums, so lucky you! Then I just rename some things.
BTW, no guarantees this will not be off by an hour during the 4 days the 4-day period involved spans a daylight savings time change. In fact, I know the "96 hours ago" will be off by one hour during those few days. Not sure how to fix that easily.
There are other methods available, but I think because of the small time frames so widely separated that this is better than most of the others.
Hi,
Thank you so much for a response, I have been away so finally got to test in our production environment.
I am struggling with the search.
To make it clearer would you be able to incorporate the following into your example
Trying to timechart field (time_taken) and want to timechart the average so avg(time_taken)
Hope this make sense!
Thanks
I just saw this comment - nearly a year later! Sorry!
I am not quite sure I follow, though perhaps I do but don't understand how it would work. Still, if I had to make a guess try changing the timechart
in the above to
timechart sum(time_taken) as total_time_taken, avg(time_taken) as avg_time_taken
Then just follow on with everything else. There are sure to be other minor adjustments, but that should get you started.
If that's not what you need, and you need this question still answered, please reply back with more information!
On the other hand, if this is resolved now and if this helped you significantly, please "Accept" the answer. If this is resolved but my answer didn't help a whole lot, it would be great if you could post your own answer then mark that one accepted!
Thanks,
Rich