All Apps and Add-ons

Using Timewrap to compare yesterday to today per hour

jwalzerpitt
Influencer

I have the following search as I'm trying to compare yesterday's count to today's count per hour and I am seeing events per hour for latest_day, but no events per hour for today

index=foo
| timechart count span=1h
| timewrap 1d

Is the fact that I have the span set to 1h and timewrap set to 1d an issue?

Here is what I see:

alt text

Thx

0 Karma
1 Solution

mayurr98
Super Champion

I know this sounds dumb, but is your time frame set to something longer than 1 day? If you have your time frame set to one day, that's exactly what it'll do. Try changing it to "last 7 days" or something.
and latest_day means today 1day_before means yesterday and so on
let me know if this solves your problem:

happy splunking 🙂

View solution in original post

mayurr98
Super Champion

I know this sounds dumb, but is your time frame set to something longer than 1 day? If you have your time frame set to one day, that's exactly what it'll do. Try changing it to "last 7 days" or something.
and latest_day means today 1day_before means yesterday and so on
let me know if this solves your problem:

happy splunking 🙂

jwalzerpitt
Influencer

Not dumb at all as I'm sure that has killed many search!

I do have the time picker set to "Last 24 hours". Changing it to "Last 7 days," I'm still not seeing what I would expect. It's not breaking down yesterday's event count per hour, just providing an overall count for the day.

Thx

0 Karma

jwalzerpitt
Influencer

Apologizes as diving into this more I finally realized your point on making sure the time picker is set correctly. Once I got that right, everything worked expected.

Thx again for the help!

0 Karma

mayurr98
Super Champion

but it is working perfectly fine at my end :
Try downloading this app and run the search again.
https://splunkbase.splunk.com/app/1645/

Try and let me know

0 Karma

jwalzerpitt
Influencer

I do have the app installed already

Thx

0 Karma

mayurr98
Super Champion

run this search for yesterday
index=foo

and see if you getting events for 24hrs? according to graph there is no data @yesterday except at 13 PM .

0 Karma

jwalzerpitt
Influencer

I have 1,087,163 million events for yesterday:

_time       
count   
2018-01-09 00:00    65
2018-01-09 01:00    57
2018-01-09 02:00    38
2018-01-09 03:00    12
2018-01-09 04:00    3
2018-01-09 05:00    71
2018-01-09 06:00    11
2018-01-09 07:00    6
2018-01-09 08:00    1701
2018-01-09 09:00    48821
2018-01-09 10:00    46659
2018-01-09 11:00    68360
2018-01-09 12:00    76469
2018-01-09 13:00    83794
2018-01-09 14:00    81029
2018-01-09 15:00    85605
2018-01-09 16:00    84611
2018-01-09 17:00    90232
2018-01-09 18:00    93578
2018-01-09 19:00    88134
2018-01-09 20:00    86039
2018-01-09 21:00    73613
2018-01-09 22:00    48728
2018-01-09 23:00    29527 
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...