Reporting

How to check data during a time period relative to another time period

TylerJVitale
Explorer

I want to be able to create a report of available memory from the last 24 hours, checking the available memory the last 4 hours each our. So for example,

9am: Available Memory from 5-9am
10am: Available Memory from 6-10am

and so on. How would I set this up?

Tags (1)
0 Karma

mdsnmss
SplunkTrust
SplunkTrust

In order to have a running report for 24 hours with those intervals what I would do is to schedule the report for every hour with a search range of the last 4 hours. This will give you the available memory for a single 4 hour period in which you can add to a lookup table as a part of the search. Within the search we can build in logic to only retain a specific range of data in the lookup and say if a row in the table is >24 hours old, drop it from the table. Do you have a search to work with?

0 Karma

TylerJVitale
Explorer

|bin _time span=4h|stats avg(Value) as "Last 4h"|join [search |bin _time span=24h|stats avg(Value) as "Last 24h"]|sort- _time|head 1

@mdsnmss As of now I have this and if I have a report run every hour and append the results to a csv lookup file, I think it should work, giving me an average over the last 4h and last 24h, right?

However, I'm doing this for someone else and I think they might need historical data, like doing this same thing, but from every hour over the past 24 hours, and I'm not sure if that is possible. If it is, great. If not, if you could just look over my query and tell me if that's what I can do going forward, I'd appreciate it.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...