Solved: How to build a search to compare this year's data ...

himynamesdave · ‎06-22-2015

Hello all,

I have a simple search:

 | chart count BY field

To help you visualise the output, see here: http://imgur.com/m3W0gct

What I want to do is compare this count year on year, without using a timeseries chart - one line for each year with a distribution of count. Like this: http://imgur.com/MVwBYXx

It's similar to this, but slightly different re: time: http://blogs.splunk.com/2012/02/19/compare-two-time-ranges-in-one-report/

I am happy using subsearches to bucket the times into years, but struggling to finish the search. An example is something like this (using days here, not years):

index=index earliest=-0d@d latest=now | append [search index=index earliest=-1d@d latest=-0d@d]

What's the best way to build this search for this? Would love some help 🙂

aljohnson_splun · ‎06-22-2015

@himynamesdave

I would suggest first extracting the year, then adding that to your by clause.

index=cdc
| eval the_year = strftime(_time, "%Y")
| chart count by MAGER_, the_year

That should give you what you need. You can use a different strftime value you extract a different part of the timestamp if you look at the common time variables here.

Here's an example from buttercup games data:

View solution in original post

aljohnson_splun · ‎06-22-2015

@himynamesdave

I would suggest first extracting the year, then adding that to your by clause.

index=cdc
| eval the_year = strftime(_time, "%Y")
| chart count by MAGER_, the_year

That should give you what you need. You can use a different strftime value you extract a different part of the timestamp if you look at the common time variables here.

Here's an example from buttercup games data:

How to build a search to compare this year's data with previous years without using timechart?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life