All Apps and Add-ons

How do you chart 3 time periods in 1 report?

CJGittings
New Member

I am looking to combine 3 different time periods into 1 chart. The 3 time periods will include last hour, previous hour and the week before the last hour. I want the chart to total for each time period.

I have been trying numerous search variations and various functions with no luck.

Thinking it should be something close to this, but I'm not really sure because I can't get data. I either receive the incorrect search function or data with the searches I am doing.

index="logs" (sourcetype="traffic") (rule="data") log_subtype=end earliest=@h-1h latest=@h | chart count by log_subtype | [search index="logs" (sourcetype="traffic") (rule="data") log_subtype=end earliest=@h-2h latest=@h-1h] | chart count by log_subtype
Tags (1)
0 Karma
1 Solution

nagarjuna280
Communicator

index="logs" (sourcetype="traffic") (rule="data") log_subtype=end earliest=@h-1h latest=@h | stats count as "LastHour" by log_subtype
| join log_subtype
[search index="logs" (sourcetype="traffic") (rule="data") log_subtype=end earliest=@h-2h latest=@h-1h | stats count as "PreviousHour" by log_subtype]
| join log_subtype
[search index="logs" (sourcetype="traffic") (rule="data") log_subtype=end earliest=-7d@h latest=@h-1h | stats count as "PreviousWeek" by log_subtype]

View solution in original post

0 Karma

woodcock
Esteemed Legend

You need the timewrap command:
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Timewrap

Maybe something like this:

index="logs" (sourcetype="traffic") (rule="data") log_subtype=end earliest=@h-2h latest=@h
| timechart count span=1h BY log_subtype
| timewrap 1h
0 Karma

nagarjuna280
Communicator

index="logs" (sourcetype="traffic") (rule="data") log_subtype=end earliest=@h-1h latest=@h | stats count as "LastHour" by log_subtype
| join log_subtype
[search index="logs" (sourcetype="traffic") (rule="data") log_subtype=end earliest=@h-2h latest=@h-1h | stats count as "PreviousHour" by log_subtype]
| join log_subtype
[search index="logs" (sourcetype="traffic") (rule="data") log_subtype=end earliest=-7d@h latest=@h-1h | stats count as "PreviousWeek" by log_subtype]

0 Karma

CJGittings
New Member

This worked perfectly. Thanks!

0 Karma

kmaron
Motivator

try this:

index="logs" (sourcetype="traffic") (rule="data") log_subtype=end earliest=@h-1h latest=@h | chart count as "LastHour" by log_subtype
| appendcols
    [search index="logs" (sourcetype="traffic") (rule="data") log_subtype=end earliest=@h-2h latest=@h-1h | chart count as "PreviousHour" by log_subtype]
| appendcols 
    [search index="logs" (sourcetype="traffic") (rule="data") log_subtype=end earliest=-7d@h latest=@h-1h | chart count as "PreviousWeek" by log_subtype]

II think this will get you the previous week up to the last hour: earliest=-7d@h latest=@h-1h

0 Karma

CJGittings
New Member

Tried this search and only get back 3 columns in the table: log_subtype, LastHour and PreviousWeek. Log_subtype just reads end, PreviousWeek reads data, LastHour returns no data and PreviousHour doesn't show at all. Thanks for the response.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...