Dashboards & Visualizations

How do I write a search that displays results for a window of time for different dates? (ex: last 15 min today with last 15 min yesterday)

New Member

I'm trying to write a search that displays results for a window of time for specified days, weeks, months, etc for comparison.

Example:
If I use the search time range picker to provide me results for the last 15 minutes, I would also like it to provide me results for the last 15 minutes; yesterday.

Trying to build a dashboard to compare results from multiple days.

Thank you!

0 Karma

Influencer

Assuming you have separate searches running from one time picker on your dashboard. If your search for today looked like

<your base search> | <other functions> | timechart <statsfunction>

You could have a separate panel search for the same time window yesterday using some subsearch trickery to adjust the earliest and latest timeframe of this search back to yesterday like so:

<your base search> [ noop | stats count 
        | addinfo 
        | eval earliest=relative_time(info_min_time,"-d") 
        | eval latest=relative_time(info_max_time,"-d")
        | fields earliest latest 
        | format "" "" "" "" "" "" ]
| <other functions> | timechart <statsfunction>

How does this subsearch work you might ask? Well noop | stats count in a subsearch is a trick to generate a single event, with a single field of count=0, by running the undocumented "do nothing" noop command, and then counting that nothing with stats. We use addinfo to add fields to our single event about the selected time window for the search, and then use eval to calculate the earliest and latest time based on the selected time window using the relative_time function. We only care about the earliest and latest fields from this subsearch, so we throw the rest away using fields. Finally, as earliest and latest should be written into the search as earliest=### latest=###, with no surrounding parenthesis, no ANDs nor any ORs, we use the format command to do just that.

The rest of the search is the same as written.

Now it might be possible to get this running with multisearch command to run your search twice at the same time, and chart them onto the same graph, but I'm getting some unexpected results with a quick smoke test.

You may also be interested in the timewrap app & command as it would make stuff like this easier 🙂

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!