All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you chart 3 time periods in 1 report?

CJGittings
New Member
‎12-07-2018 08:53 AM

I am looking to combine 3 different time periods into 1 chart. The 3 time periods will include last hour, previous hour and the week before the last hour. I want the chart to total for each time period.

I have been trying numerous search variations and various functions with no luck.

Thinking it should be something close to this, but I'm not really sure because I can't get data. I either receive the incorrect search function or data with the searches I am doing.

index="logs" (sourcetype="traffic") (rule="data") log_subtype=end earliest=@h-1h latest=@h | chart count by log_subtype | [search index="logs" (sourcetype="traffic") (rule="data") log_subtype=end earliest=@h-2h latest=@h-1h] | chart count by log_subtype
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nagarjuna280
Communicator
‎12-08-2018 10:37 AM

index="logs" (sourcetype="traffic") (rule="data") log_subtype=end earliest=@h-1h latest=@h | stats count as "LastHour" by log_subtype
| join log_subtype
[search index="logs" (sourcetype="traffic") (rule="data") log_subtype=end earliest=@h-2h latest=@h-1h | stats count as "PreviousHour" by log_subtype]
| join log_subtype
[search index="logs" (sourcetype="traffic") (rule="data") log_subtype=end earliest=-7d@h latest=@h-1h | stats count as "PreviousWeek" by log_subtype]

View solution in original post

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎12-08-2018 01:18 PM

You need the timewrap command:
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Timewrap

Maybe something like this:

index="logs" (sourcetype="traffic") (rule="data") log_subtype=end earliest=@h-2h latest=@h
| timechart count span=1h BY log_subtype
| timewrap 1h
0 Karma
Reply
Solved! Jump to solution
Solution

nagarjuna280
Communicator
‎12-08-2018 10:37 AM

index="logs" (sourcetype="traffic") (rule="data") log_subtype=end earliest=@h-1h latest=@h | stats count as "LastHour" by log_subtype
| join log_subtype
[search index="logs" (sourcetype="traffic") (rule="data") log_subtype=end earliest=@h-2h latest=@h-1h | stats count as "PreviousHour" by log_subtype]
| join log_subtype
[search index="logs" (sourcetype="traffic") (rule="data") log_subtype=end earliest=-7d@h latest=@h-1h | stats count as "PreviousWeek" by log_subtype]

0 Karma
Reply
Solved! Jump to solution

CJGittings
New Member
‎12-12-2018 09:36 AM

This worked perfectly. Thanks!

0 Karma
Reply
Solved! Jump to solution

kmaron
Motivator
‎12-07-2018 10:07 AM

try this:

index="logs" (sourcetype="traffic") (rule="data") log_subtype=end earliest=@h-1h latest=@h | chart count as "LastHour" by log_subtype
| appendcols
    [search index="logs" (sourcetype="traffic") (rule="data") log_subtype=end earliest=@h-2h latest=@h-1h | chart count as "PreviousHour" by log_subtype]
| appendcols 
    [search index="logs" (sourcetype="traffic") (rule="data") log_subtype=end earliest=-7d@h latest=@h-1h | chart count as "PreviousWeek" by log_subtype]

II think this will get you the previous week up to the last hour: earliest=-7d@h latest=@h-1h

0 Karma
Reply
Solved! Jump to solution

CJGittings
New Member
‎12-07-2018 01:47 PM

Tried this search and only get back 3 columns in the table: log_subtype, LastHour and PreviousWeek. Log_subtype just reads end, PreviousWeek reads data, LastHour returns no data and PreviousHour doesn't show at all. Thanks for the response.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...