I'm trying to get Thursday of this week compared with Thursday of last week and have the values overlay in a stack graph.
Using the following search, based off this link, I'm not able to get the data to overlap I can only get it working side by side.
source="Perfmon:CPU Load" counter="% Processor Time" host="SERVER01" earliest=-1d@d latest=-0d@d
| eval ReportKey="this week"
| append maxtime=600 [search source="Perfmon:CPU Load" counter="% Processor Time" host="SERVER01" earliest=-8d@d latest=-7d@d
| eval _time=_time+60*60*24*7
| eval ReportKey="last week"]
| timechart span=5m avg(Value) by ReportKey
What am I missing?
Splunk Version 4.3.3
Comparing week-over-week results used to a pain in Splunk, with complex date calculations. No more. Now there is a better way.
I wrote a convenient search command called "timewrap" that does it all, for arbitrary time periods.
source="Perfmon:CPU Load" counter="% Processor Time" host="SERVER01" earliest=-1d@d latest=-0d@d
| timechart avg(Value) span=1h
| timewrap w
| where strftime(_time, "%A") == "Thursday"
That's it!
Here is a much more elegant solution which can plot all days on the same day in timechart and does not require the use of an app:
| eval series=strftime(_time, "%m-%d") | eval time_delta=(now-_time)/86400,time_day=ceiling(time_delta),_time=_time+time_day*86400 | eval day=case(time_day=0,"Today",time_day=1,"Yesterday",time_day=8,"SD last week") | timechart fixedrange=false sum(count) by day
This allows you to plot any time range by series or to assign nice names in the case statement to each day based on its relation to the current time/day. 86400 is the number of seconds in a day.
Comparing week-over-week results used to a pain in Splunk, with complex date calculations. No more. Now there is a better way.
I wrote a convenient search command called "timewrap" that does it all, for arbitrary time periods.
source="Perfmon:CPU Load" counter="% Processor Time" host="SERVER01" earliest=-1d@d latest=-0d@d
| timechart avg(Value) span=1h
| timewrap w
| where strftime(_time, "%A") == "Thursday"
That's it!
Any help with this, please.
Hi,
My report is quite simirlar to this one but my idea is to build a timechart for the Domain user account lock outs from two days.
The idea is to compare the user account lockouts (Event ID 644) difference between yesterday and today.
I created the search but something goes wrong as I get less matchings than running the search separately.
sourcetype="WinEventLog:Security" EventCode="644" earliest=-0d@d latest=now | eval ReportKey="today" | append [search sourcetype="WinEventLog:Security" EventCode="644" earliest=-1d@d latest=-0d@d | eval ReportKey="yesterday"] | eval _time=if(ReportKey=="yesterday",_time+86400,_time) | timechart span=120m c(EventCode) by ReportKey
Thank you.
May I suggest that you open a different thread if you have a different problem? The original question is marked as "Answered" and that means that no one is expecting to find more questions here.
That said, the following may help:
The default number of results from a subsearch is 100; the maximum is 10499. To increase the number of results above the default of 100, you can edit limits.conf or use the format
command.
My guess is that this is your problem. More info at the following link
http://docs.splunk.com/Documentation/Splunk/5.0.2/Search/Aboutsubsearches
Make sure you are being timed out by a auto-finalized subsearch.
Try:
append maxtime=600[search sourcetype="WinEventLog:Security" EventCode="644" earliest=-1d@d latest=-0d@d
What you have looks right. I have two ideas:
First, there are some versions of Splunk that do not happily let you re-compute _time in a subsearch. So, recompute it in the main search as follows:
source="Perfmon:CPU Load" counter="% Processor Time" host="SERVER01" earliest=-1d@d latest=-0d@d
| eval ReportKey="this week"
| append maxtime=600 [search source="Perfmon:CPU Load" counter="% Processor Time" host="SERVER01" earliest=-8d@d latest=-7d@d
| eval ReportKey="last week"]
| eval _time=if(ReportKey=="last week",_time+60*60*24*7,_time)
| timechart span=5m avg(Value) by ReportKey
Option #2 - Don't use a subsearch. This can get around other problems, such as very large datasets. (Although you might want to also consider summary indexing if your search runs for a long time.) It might also help with this problem.
source="Perfmon:CPU Load" counter="% Processor Time" host="SERVER01" earliest=-8d@d latest=-0d@d
| eval ReportKey="deleteThisEvent"
| eval ReportKey=if(_time<=relative_time(now(),"-7d@d"),"SameDayLastWeek",ReportKey)
| eval ReportKey=if(_time>=relative_time(now(),"-1d@d"),"Yesterday",ReportKey)
| where ReportKey!="deleteThisEvent"
| eval _time=if(ReportKey=="last week",_time+60*60*24*7,_time)
| timechart fixedrange=false span=5m avg(Value) by ReportKey
The earliest means pick 8 days ago all the way up to yesterday at midnight.
The first eval computes the full day of 7 days ago because of the earliest setting -7d@d up to -8d@d
The second eval computes yesterday up to midnight because of the latest setting -1d@d up to -0d@d
The rest "deleteThisEvent" gets rid of everything outside of those boundaries.
Comparing week-over-week results is a pain in Splunk. You have to do absurd math for crazy date calculations. No more. Now there is a better way.
I wrote a convenient search command called "timewrap" that does it all, for arbitrary time periods.
http://apps.splunk.com/app/1645/
Can you use timewrap to populate a single value visualization with trend indicator? For instance I want the last 7 days to populate the single value and the week before that to be fed into the trend indicator.
The first option was successful. Thanks!