Dashboards & Visualizations

How do I write a search that displays results for a window of time for different dates? (ex: last 15 min today with last 15 min yesterday)

kylecobb
New Member

I'm trying to write a search that displays results for a window of time for specified days, weeks, months, etc for comparison.

Example:
If I use the search time range picker to provide me results for the last 15 minutes, I would also like it to provide me results for the last 15 minutes; yesterday.

Trying to build a dashboard to compare results from multiple days.

Thank you!

0 Karma

acharlieh
Influencer

Assuming you have separate searches running from one time picker on your dashboard. If your search for today looked like

<your base search> | <other functions> | timechart <statsfunction>

You could have a separate panel search for the same time window yesterday using some subsearch trickery to adjust the earliest and latest timeframe of this search back to yesterday like so:

<your base search> [ noop | stats count 
        | addinfo 
        | eval earliest=relative_time(info_min_time,"-d") 
        | eval latest=relative_time(info_max_time,"-d")
        | fields earliest latest 
        | format "" "" "" "" "" "" ]
| <other functions> | timechart <statsfunction>

How does this subsearch work you might ask? Well noop | stats count in a subsearch is a trick to generate a single event, with a single field of count=0, by running the undocumented "do nothing" noop command, and then counting that nothing with stats. We use addinfo to add fields to our single event about the selected time window for the search, and then use eval to calculate the earliest and latest time based on the selected time window using the relative_time function. We only care about the earliest and latest fields from this subsearch, so we throw the rest away using fields. Finally, as earliest and latest should be written into the search as earliest=### latest=###, with no surrounding parenthesis, no ANDs nor any ORs, we use the format command to do just that.

The rest of the search is the same as written.

Now it might be possible to get this running with multisearch command to run your search twice at the same time, and chart them onto the same graph, but I'm getting some unexpected results with a quick smoke test.

You may also be interested in the timewrap app & command as it would make stuff like this easier 🙂

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...