Archive
Highlighted

How do you chart 3 time periods in 1 report?

New Member

I am looking to combine 3 different time periods into 1 chart. The 3 time periods will include last hour, previous hour and the week before the last hour. I want the chart to total for each time period.

I have been trying numerous search variations and various functions with no luck.

Thinking it should be something close to this, but I'm not really sure because I can't get data. I either receive the incorrect search function or data with the searches I am doing.

index="logs" (sourcetype="traffic") (rule="data") log_subtype=end earliest=@h-1h latest=@h | chart count by log_subtype | [search index="logs" (sourcetype="traffic") (rule="data") log_subtype=end earliest=@h-2h latest=@h-1h] | chart count by log_subtype
Tags (1)
0 Karma
Highlighted

Re: How do you chart 3 time periods in 1 report?

Motivator

try this:

index="logs" (sourcetype="traffic") (rule="data") log_subtype=end earliest=@h-1h latest=@h | chart count as "LastHour" by log_subtype
| appendcols
    [search index="logs" (sourcetype="traffic") (rule="data") log_subtype=end earliest=@h-2h latest=@h-1h | chart count as "PreviousHour" by log_subtype]
| appendcols 
    [search index="logs" (sourcetype="traffic") (rule="data") log_subtype=end earliest=-7d@h latest=@h-1h | chart count as "PreviousWeek" by log_subtype]

II think this will get you the previous week up to the last hour: earliest=-7d@h latest=@h-1h

0 Karma
Highlighted

Re: How do you chart 3 time periods in 1 report?

New Member

Tried this search and only get back 3 columns in the table: logsubtype, LastHour and PreviousWeek. Logsubtype just reads end, PreviousWeek reads data, LastHour returns no data and PreviousHour doesn't show at all. Thanks for the response.

0 Karma
Highlighted

Re: How do you chart 3 time periods in 1 report?

Communicator

index="logs" (sourcetype="traffic") (rule="data") logsubtype=end earliest=@h-1h latest=@h | stats count as "LastHour" by logsubtype
| join logsubtype
[search index="logs" (sourcetype="traffic") (rule="data") log
subtype=end earliest=@h-2h latest=@h-1h | stats count as "PreviousHour" by logsubtype]
| join log
subtype
[search index="logs" (sourcetype="traffic") (rule="data") logsubtype=end earliest=-7d@h latest=@h-1h | stats count as "PreviousWeek" by logsubtype]

View solution in original post

0 Karma
Highlighted

Re: How do you chart 3 time periods in 1 report?

New Member

This worked perfectly. Thanks!

0 Karma
Highlighted

Re: How do you chart 3 time periods in 1 report?

Esteemed Legend

You need the timewrap command:
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Timewrap

Maybe something like this:

index="logs" (sourcetype="traffic") (rule="data") log_subtype=end earliest=@h-2h latest=@h
| timechart count span=1h BY log_subtype
| timewrap 1h
0 Karma