Splunk Search

Timewrap: Compare last 24 hours to the same day over the last 4 weeks

RMoore01
New Member

I would like to compare the last 24 hours to the same day the previous 4 weeks.

0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

Hi RMoore01,

I find the command multisearch really handy for this kind of comparison, also it is a very fast/efficient way to search two different time ranges. Although multisearch uses sub search syntax, it is actually not effected by any sub search limitations - from the docs http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Multisearch

With the multisearch command, the events from each subsearch are interleaved. Therefore the multisearch command is not restricted by the subsearch limitations.

Okay, now for the example; take this run everywhere example to see how it can be done :

| multisearch 
    [ search index=_internal sourcetype=splunkd earliest=-2w@-24h@h latest=-2w@-0h@h 
    | eval event="1", when="then" ] 
    [ search index=_internal sourcetype=splunkd earliest=-24h@h latest=-0h@h 
    | eval event="1", when="now" ] 
    | chart sum(event) AS events over date_hour by when

This will give you a chart with the sum of events over the last 24 hours (second search) and the same time range 2 weeks ago (First search). I had to use 2 weeks because it searches index=_internal 😉

If you add a where to the SPL, you can compare the events and show it in a graph like this:
alt text

Hope this helps ...

cheers, MuS

View solution in original post

MuS
SplunkTrust
SplunkTrust

Hi RMoore01,

I find the command multisearch really handy for this kind of comparison, also it is a very fast/efficient way to search two different time ranges. Although multisearch uses sub search syntax, it is actually not effected by any sub search limitations - from the docs http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Multisearch

With the multisearch command, the events from each subsearch are interleaved. Therefore the multisearch command is not restricted by the subsearch limitations.

Okay, now for the example; take this run everywhere example to see how it can be done :

| multisearch 
    [ search index=_internal sourcetype=splunkd earliest=-2w@-24h@h latest=-2w@-0h@h 
    | eval event="1", when="then" ] 
    [ search index=_internal sourcetype=splunkd earliest=-24h@h latest=-0h@h 
    | eval event="1", when="now" ] 
    | chart sum(event) AS events over date_hour by when

This will give you a chart with the sum of events over the last 24 hours (second search) and the same time range 2 weeks ago (First search). I had to use 2 weeks because it searches index=_internal 😉

If you add a where to the SPL, you can compare the events and show it in a graph like this:
alt text

Hope this helps ...

cheers, MuS

RMoore01
New Member

This is very helpful, but I need the actual date and times instead of date_hour.

0 Karma

MuS
SplunkTrust
SplunkTrust

so, this one will give you the _time but only for the last 24 hours:

| multisearch 
    [ search index=_internal sourcetype=splunkd earliest=-2w@-24h@h latest=-2w@-0h@h 
    | eval event="1", when="then" ] 
    [ search index=_internal sourcetype=splunkd earliest=-24h@h latest=-0h@h 
    | eval event="1", when="now" ] 
| bin _time span=1h 
| fields event when date_hour 
| chart sum(event) AS events values(_time) AS _time over date_hour by when 
| where 'events: now' > 'events: then'  | table "VALUE_time: now" events* | rename "VALUE_time: now" AS _time

the events represented by then are in the same hour just two weeks earlier in this example.

cheers, MuS

0 Karma

MuS
SplunkTrust
SplunkTrust

That will be more difficult, and comparing the results will be complicated as well....but let me try something; there are always options 😉

0 Karma

kmaron
Motivator

when you say "last 24 hours" do you mean a specific DAY like 'Tuesday' or do you mean a rolling 24 hours (like 4pm Monday to 4pm Tuesday)?

0 Karma

RMoore01
New Member

When I say "last 24 hours" I am talking about earliest=now and 24 hours from then and then the same time for the same day the previous 4 weeks.
The start time depends on when I run it, it is not a static variable.
Example:
Sunday 6/10/18 10:37 AM and the last 24 hours.
Sunday 6/03/18 10:37 AM and the last 24 hours.
Sunday 5/27/18 10:37 AM and the last 24 hours.
Sunday 5/20/18 10:37 AM and the last 24 hours.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...