Solved: Re: How do you chart 3 time periods in 1 report?

CJGittings · ‎12-07-2018

I am looking to combine 3 different time periods into 1 chart. The 3 time periods will include last hour, previous hour and the week before the last hour. I want the chart to total for each time period.

I have been trying numerous search variations and various functions with no luck.

Thinking it should be something close to this, but I'm not really sure because I can't get data. I either receive the incorrect search function or data with the searches I am doing.

index="logs" (sourcetype="traffic") (rule="data") log_subtype=end earliest=@h-1h latest=@h | chart count by log_subtype | [search index="logs" (sourcetype="traffic") (rule="data") log_subtype=end earliest=@h-2h latest=@h-1h] | chart count by log_subtype

nagarjuna280 · ‎12-08-2018

index="logs" (sourcetype="traffic") (rule="data") log_subtype=end earliest=@h-1h latest=@h | stats count as "LastHour" by log_subtype
| join log_subtype
[search index="logs" (sourcetype="traffic") (rule="data") log_subtype=end earliest=@h-2h latest=@h-1h | stats count as "PreviousHour" by log_subtype]
| join log_subtype
[search index="logs" (sourcetype="traffic") (rule="data") log_subtype=end earliest=-7d@h latest=@h-1h | stats count as "PreviousWeek" by log_subtype]

View solution in original post

woodcock · ‎12-08-2018

You need the timewrap command:
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Timewrap

Maybe something like this:

index="logs" (sourcetype="traffic") (rule="data") log_subtype=end earliest=@h-2h latest=@h
| timechart count span=1h BY log_subtype
| timewrap 1h

nagarjuna280 · ‎12-08-2018

index="logs" (sourcetype="traffic") (rule="data") log_subtype=end earliest=@h-1h latest=@h | stats count as "LastHour" by log_subtype
| join log_subtype
[search index="logs" (sourcetype="traffic") (rule="data") log_subtype=end earliest=@h-2h latest=@h-1h | stats count as "PreviousHour" by log_subtype]
| join log_subtype
[search index="logs" (sourcetype="traffic") (rule="data") log_subtype=end earliest=-7d@h latest=@h-1h | stats count as "PreviousWeek" by log_subtype]

CJGittings · ‎12-12-2018

This worked perfectly. Thanks!

kmaron · ‎12-07-2018

try this:

index="logs" (sourcetype="traffic") (rule="data") log_subtype=end earliest=@h-1h latest=@h | chart count as "LastHour" by log_subtype
| appendcols
    [search index="logs" (sourcetype="traffic") (rule="data") log_subtype=end earliest=@h-2h latest=@h-1h | chart count as "PreviousHour" by log_subtype]
| appendcols 
    [search index="logs" (sourcetype="traffic") (rule="data") log_subtype=end earliest=-7d@h latest=@h-1h | chart count as "PreviousWeek" by log_subtype]

II think this will get you the previous week up to the last hour: earliest=-7d@h latest=@h-1h

CJGittings · ‎12-07-2018

Tried this search and only get back 3 columns in the table: log_subtype, LastHour and PreviousWeek. Log_subtype just reads end, PreviousWeek reads data, LastHour returns no data and PreviousHour doesn't show at all. Thanks for the response.

How do you chart 3 time periods in 1 report?

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?

How do you chart 3 time periods in 1 report?

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?