All Apps and Add-ons

Using Timewrap to compare yesterday to today per hour

jwalzerpitt
Motivator

I have the following search as I'm trying to compare yesterday's count to today's count per hour and I am seeing events per hour for latest_day, but no events per hour for today

index=foo
| timechart count span=1h
| timewrap 1d

Is the fact that I have the span set to 1h and timewrap set to 1d an issue?

Here is what I see:

alt text

Thx

0 Karma
1 Solution

mayurr98
Super Champion

I know this sounds dumb, but is your time frame set to something longer than 1 day? If you have your time frame set to one day, that's exactly what it'll do. Try changing it to "last 7 days" or something.
and latest_day means today 1day_before means yesterday and so on
let me know if this solves your problem:

happy splunking 🙂

View solution in original post

mayurr98
Super Champion

I know this sounds dumb, but is your time frame set to something longer than 1 day? If you have your time frame set to one day, that's exactly what it'll do. Try changing it to "last 7 days" or something.
and latest_day means today 1day_before means yesterday and so on
let me know if this solves your problem:

happy splunking 🙂

jwalzerpitt
Motivator

Not dumb at all as I'm sure that has killed many search!

I do have the time picker set to "Last 24 hours". Changing it to "Last 7 days," I'm still not seeing what I would expect. It's not breaking down yesterday's event count per hour, just providing an overall count for the day.

Thx

0 Karma

jwalzerpitt
Motivator

Apologizes as diving into this more I finally realized your point on making sure the time picker is set correctly. Once I got that right, everything worked expected.

Thx again for the help!

0 Karma

mayurr98
Super Champion

but it is working perfectly fine at my end :
Try downloading this app and run the search again.
https://splunkbase.splunk.com/app/1645/

Try and let me know

0 Karma

jwalzerpitt
Motivator

I do have the app installed already

Thx

0 Karma

mayurr98
Super Champion

run this search for yesterday
index=foo

and see if you getting events for 24hrs? according to graph there is no data @yesterday except at 13 PM .

0 Karma

jwalzerpitt
Motivator

I have 1,087,163 million events for yesterday:

_time       
count   
2018-01-09 00:00    65
2018-01-09 01:00    57
2018-01-09 02:00    38
2018-01-09 03:00    12
2018-01-09 04:00    3
2018-01-09 05:00    71
2018-01-09 06:00    11
2018-01-09 07:00    6
2018-01-09 08:00    1701
2018-01-09 09:00    48821
2018-01-09 10:00    46659
2018-01-09 11:00    68360
2018-01-09 12:00    76469
2018-01-09 13:00    83794
2018-01-09 14:00    81029
2018-01-09 15:00    85605
2018-01-09 16:00    84611
2018-01-09 17:00    90232
2018-01-09 18:00    93578
2018-01-09 19:00    88134
2018-01-09 20:00    86039
2018-01-09 21:00    73613
2018-01-09 22:00    48728
2018-01-09 23:00    29527 
0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...