All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to build a search to compare this year's data with previous years without using timechart?

himynamesdave
Contributor
‎06-22-2015 01:47 AM

Hello all,

I have a simple search:

 | chart count BY field

To help you visualise the output, see here: http://imgur.com/m3W0gct

What I want to do is compare this count year on year, without using a timeseries chart - one line for each year with a distribution of count. Like this: http://imgur.com/MVwBYXx

It's similar to this, but slightly different re: time: http://blogs.splunk.com/2012/02/19/compare-two-time-ranges-in-one-report/

I am happy using subsearches to bucket the times into years, but struggling to finish the search. An example is something like this (using days here, not years):

index=index earliest=-0d@d latest=now | append [search index=index earliest=-1d@d latest=-0d@d]

What's the best way to build this search for this? Would love some help 🙂

Reply
1 Solution
Solved! Jump to solution
Solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎06-22-2015 11:39 AM

@himynamesdave

I would suggest first extracting the year, then adding that to your by clause.

index=cdc
| eval the_year = strftime(_time, "%Y")
| chart count by MAGER_, the_year

That should give you what you need. You can use a different strftime value you extract a different part of the timestamp if you look at the common time variables here.

Here's an example from buttercup games data:
alt text

View solution in original post

Preview file
204 KB
Reply
Solved! Jump to solution
Solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎06-22-2015 11:39 AM

@himynamesdave

I would suggest first extracting the year, then adding that to your by clause.

index=cdc
| eval the_year = strftime(_time, "%Y")
| chart count by MAGER_, the_year

That should give you what you need. You can use a different strftime value you extract a different part of the timestamp if you look at the common time variables here.

Here's an example from buttercup games data:
alt text

Preview file
204 KB
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...