Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Add previous week to line chart for comparison

davidsplunk123
New Member
‎02-28-2018 01:04 AM

I have this below search and would like to add another line to include the week previous showing how it compares with the last 7 days.

index=summary report=otl_engineering_jiracsatresults Key="**" Assignee="**" Classification="**"
| dedup Key 
| eval dateEpoch = strptime(Date, "%Y-%m-%d %H:%M") 
| eval today = now() 
| eval daysAgo = round(((today - dateEpoch)/60/60/24), 0) 
| rex field=Date "(?<day>^\d{4}-\d{2}-\d{2}) \d{2}:\d{2}$"
| table Key, Summary, Reporter, Assignee, Classification, "CSAT Rate", "CSAT Rating Comment", Date, daysAgo, day
|  search daysAgo <= 7 
| stats avg("CSAT Rate") as AverageCustomerRating by day

alt text

Tags (1)
Preview file
31 KB
0 Karma
Reply

cmerriman
Super Champion
‎02-28-2018 04:53 AM

what version of Splunk are you using? newer versions of Splunk (6.5+, I believe) have a command called timewrap

https://docs.splunk.com/Documentation/Splunk/6.6.0/SearchReference/Timewrap

if you do something ilke:

index=summary report=otl_engineering_jiracsatresults Key="**" Assignee="**" Classification="**"
 | dedup Key 
 | eval dateEpoch = strptime(Date, "%Y-%m-%d %H:%M") 
 | eval today = now() 
 | eval daysAgo = round(((today - dateEpoch)/60/60/24), 0) 
 | rex field=Date "(?<day>^\d{4}-\d{2}-\d{2}) \d{2}:\d{2}$"
 | table Key, Summary, Reporter, Assignee, Classification, "CSAT Rate", "CSAT Rating Comment", Date, daysAgo, day dateEpoch
 | eval _time=dateEpoch
 |  search daysAgo <= 14 
 | timechart span=1d avg("CSAT Rate") as AverageCustomerRating 
 | timewrap 1week

there is also a timewrap app, if you're on an older version of splunk https://splunkbase.splunk.com/app/1645/

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...