I am looking to combine 3 different time periods into 1 chart. The 3 time periods will include last hour, previous hour and the week before the last hour. I want the chart to total for each time period.
I have been trying numerous search variations and various functions with no luck.
Thinking it should be something close to this, but I'm not really sure because I can't get data. I either receive the incorrect search function or data with the searches I am doing.
index="logs" (sourcetype="traffic") (rule="data") log_subtype=end earliest=@h-1h latest=@h | chart count by log_subtype | [search index="logs" (sourcetype="traffic") (rule="data") log_subtype=end earliest=@h-2h latest=@h-1h] | chart count by log_subtype
index="logs" (sourcetype="traffic") (rule="data") log_subtype=end earliest=@h-1h latest=@h | stats count as "LastHour" by log_subtype
| join log_subtype
[search index="logs" (sourcetype="traffic") (rule="data") log_subtype=end earliest=@h-2h latest=@h-1h | stats count as "PreviousHour" by log_subtype]
| join log_subtype
[search index="logs" (sourcetype="traffic") (rule="data") log_subtype=end earliest=-7d@h latest=@h-1h | stats count as "PreviousWeek" by log_subtype]
You need the timewrap
command:
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Timewrap
Maybe something like this:
index="logs" (sourcetype="traffic") (rule="data") log_subtype=end earliest=@h-2h latest=@h
| timechart count span=1h BY log_subtype
| timewrap 1h
index="logs" (sourcetype="traffic") (rule="data") log_subtype=end earliest=@h-1h latest=@h | stats count as "LastHour" by log_subtype
| join log_subtype
[search index="logs" (sourcetype="traffic") (rule="data") log_subtype=end earliest=@h-2h latest=@h-1h | stats count as "PreviousHour" by log_subtype]
| join log_subtype
[search index="logs" (sourcetype="traffic") (rule="data") log_subtype=end earliest=-7d@h latest=@h-1h | stats count as "PreviousWeek" by log_subtype]
This worked perfectly. Thanks!
try this:
index="logs" (sourcetype="traffic") (rule="data") log_subtype=end earliest=@h-1h latest=@h | chart count as "LastHour" by log_subtype
| appendcols
[search index="logs" (sourcetype="traffic") (rule="data") log_subtype=end earliest=@h-2h latest=@h-1h | chart count as "PreviousHour" by log_subtype]
| appendcols
[search index="logs" (sourcetype="traffic") (rule="data") log_subtype=end earliest=-7d@h latest=@h-1h | chart count as "PreviousWeek" by log_subtype]
II think this will get you the previous week up to the last hour: earliest=-7d@h latest=@h-1h
Tried this search and only get back 3 columns in the table: log_subtype, LastHour and PreviousWeek. Log_subtype just reads end, PreviousWeek reads data, LastHour returns no data and PreviousHour doesn't show at all. Thanks for the response.