Re: How to show last weeks data in trellis for sin...

mukhil · ‎04-30-2019

Hi,

Im working on showing last week data in trellis for single value visualization. I have 7 values in trellis which is showing current week's data. I would like to see last week data as well in form of providing token to it, but unable to perform. Please help me in it.

woodcock · ‎12-30-2019

You need the timewrap command:
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Timewrap

jodyfsu · ‎04-30-2019

I think you might be looking for something like this:

index=INDEX sourcetype=SOURCETYPE "REST OF SEARCH"
 earliest=-8d@d latest=-1d@d 
| multikv 
| eval ReportKey="Last Week" 
| append 
    [ search index=INDEX sourcetype=SOURCETYPE "REST OF SEARCH"
 earliest=-15d@d latest=-8d@d
    | multikv 
    | eval ReportKey="Previous Week" 
    | eval _time=_time+60*60*24*7] 
| stats FUNCTION by ReportKey

I use this to compare weeks without having to do each week manually.

woodcock · ‎12-30-2019

Just stack the time specifiers like this:

index=?INDEX sourcetype=SOURCETYPE "REST OF SEARCH" (earliest=-8d@d latest=-1d@d OR earliest=-15d@d latest=-8d@d)
| multikv
| timechart span=1w FUNCTION

How to show last weeks data in trellis for single value visualization?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms