All Apps and Add-ons

Using Timewrap to compare yesterday to today per hour

Motivator

I have the following search as I'm trying to compare yesterday's count to today's count per hour and I am seeing events per hour for latest_day, but no events per hour for today

index=foo
| timechart count span=1h
| timewrap 1d

Is the fact that I have the span set to 1h and timewrap set to 1d an issue?

Here is what I see:

alt text

Thx

0 Karma
1 Solution

SplunkTrust
SplunkTrust

I know this sounds dumb, but is your time frame set to something longer than 1 day? If you have your time frame set to one day, that's exactly what it'll do. Try changing it to "last 7 days" or something.
and latest_day means today 1day_before means yesterday and so on
let me know if this solves your problem:

happy splunking 🙂

View solution in original post

SplunkTrust
SplunkTrust

I know this sounds dumb, but is your time frame set to something longer than 1 day? If you have your time frame set to one day, that's exactly what it'll do. Try changing it to "last 7 days" or something.
and latest_day means today 1day_before means yesterday and so on
let me know if this solves your problem:

happy splunking 🙂

View solution in original post

Motivator

Not dumb at all as I'm sure that has killed many search!

I do have the time picker set to "Last 24 hours". Changing it to "Last 7 days," I'm still not seeing what I would expect. It's not breaking down yesterday's event count per hour, just providing an overall count for the day.

Thx

0 Karma

Motivator

Apologizes as diving into this more I finally realized your point on making sure the time picker is set correctly. Once I got that right, everything worked expected.

Thx again for the help!

0 Karma

SplunkTrust
SplunkTrust

but it is working perfectly fine at my end :
Try downloading this app and run the search again.
https://splunkbase.splunk.com/app/1645/

Try and let me know

0 Karma

Motivator

I do have the app installed already

Thx

0 Karma

SplunkTrust
SplunkTrust

run this search for yesterday
index=foo

and see if you getting events for 24hrs? according to graph there is no data @yesterday except at 13 PM .

0 Karma

Motivator

I have 1,087,163 million events for yesterday:

_time       
count   
2018-01-09 00:00    65
2018-01-09 01:00    57
2018-01-09 02:00    38
2018-01-09 03:00    12
2018-01-09 04:00    3
2018-01-09 05:00    71
2018-01-09 06:00    11
2018-01-09 07:00    6
2018-01-09 08:00    1701
2018-01-09 09:00    48821
2018-01-09 10:00    46659
2018-01-09 11:00    68360
2018-01-09 12:00    76469
2018-01-09 13:00    83794
2018-01-09 14:00    81029
2018-01-09 15:00    85605
2018-01-09 16:00    84611
2018-01-09 17:00    90232
2018-01-09 18:00    93578
2018-01-09 19:00    88134
2018-01-09 20:00    86039
2018-01-09 21:00    73613
2018-01-09 22:00    48728
2018-01-09 23:00    29527 
0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!