All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Using Timewrap to compare to a specific static date or week

icegras
Explorer
‎03-24-2016 08:33 AM

I'd like to compare a chart of this week's activity to a specific, never changing baseline week.
I would determine which week is the perfect representative week of normal behaviour, say Feb 08 to Feb 14 2016, and then always compare current activity to that one.
I read the following but that does not let me input static date, and if I understand it correctly I whould have to consider everything from feb 08 to today, and get rid of everything inbetween, which does not make a lot of sense.
https://answers.splunk.com/answers/297910/how-to-compare-data-for-specified-absolute-dates-u.html?ut...

Any ideas?

EDIT
@Stevelim : thanks, your link looks like what I need to do, however I'm still missing something
http://blogs.splunk.com/2012/02/19/compare-two-time-ranges-in-one-report/

In the example you need to add a day to _time in the second query in order to have them overlap, because it's comparing today with yesterday. In my case I'll have to add the time difference between the current beginning of the week, and the start date of the baseline which never changes.

Here is an example with hours. I'm comparing the current hour to a certain hour:

eventtype=JmxMemoryEvent earliest=-0h@h latest=now | eval pctUsed=round(heapUsed/heapMax*100,0) |eval ReportKey="RightNow" |
append [search eventtype=JmxMemoryEvent earliest=1458846000 latest=1458849600 | eval pctUsed=round(heapUsed/heapMax*100,0) | eval ReportKey="Before"] | timechart avg(pctUsed) by ReportKey

Within the second search I need to do something like

eval _time=_time+(-0h@h from the first search MINUS 1458846000 which is the beginning of reference hour)

I can't find good examples on _time manipulation, and if I find something I'm not sure what -0h@h within the second search will be relative to. Right now or the latest from the timerange of the second search?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jeffland
SplunkTrust
SplunkTrust
‎03-29-2016 04:22 AM

All you have to do is take the difference of the reference timeframe's earliest to now and add it to the _time of your reference values. I've made this run-anywhere, you'll just have to replace the searches (and time ranges) with your own:

index=_internal group=per_sourcetype_thruput earliest=@h latest=now | streamstats window=5 avg(eps) as pctUsed | eval ReportKey="Current Hour" 
| append [search index=_internal group=per_sourcetype_thruput earliest=1459242000 latest=1459245600 | streamstats window=5 avg(eps) as pctUsed | eval ReportKey="Reference Hour" | eval _time=_time+(relative_time(now(), "@h")-1459242000)] | timechart span=1m avg(pctUsed) by ReportKey

Oh and by the way, "-0h@h" is exactly the same as "@h", it just looks more complicated. A time offset in a subsearch is never relative to the main search time range, always to now().

View solution in original post

Reply
Solved! Jump to solution
Solution

jeffland
SplunkTrust
SplunkTrust
‎03-29-2016 04:22 AM

All you have to do is take the difference of the reference timeframe's earliest to now and add it to the _time of your reference values. I've made this run-anywhere, you'll just have to replace the searches (and time ranges) with your own:

index=_internal group=per_sourcetype_thruput earliest=@h latest=now | streamstats window=5 avg(eps) as pctUsed | eval ReportKey="Current Hour" 
| append [search index=_internal group=per_sourcetype_thruput earliest=1459242000 latest=1459245600 | streamstats window=5 avg(eps) as pctUsed | eval ReportKey="Reference Hour" | eval _time=_time+(relative_time(now(), "@h")-1459242000)] | timechart span=1m avg(pctUsed) by ReportKey

Oh and by the way, "-0h@h" is exactly the same as "@h", it just looks more complicated. A time offset in a subsearch is never relative to the main search time range, always to now().

Reply
Solved! Jump to solution

icegras
Explorer
‎04-06-2016 02:21 PM

Thank you! After spending two hours to figure out why some of the reference hour data was not showing (started reference data at beginning of hour +10min for some reason), I finally discovered that Splunk 6.2 does not seem to understand this query.
It works nicely on 6.3!

0 Karma
Reply
Solved! Jump to solution

Stevelim
Communicator
‎03-24-2016 09:44 AM

Is this what you are looking for?

http://blogs.splunk.com/2012/02/19/compare-two-time-ranges-in-one-report/

0 Karma
Reply
Solved! Jump to solution

icegras
Explorer
‎03-24-2016 01:55 PM

Thanks for the link, it helps but see my edit for details.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...