Solved: How to show trend for last 7 days for last 3 month...

aditsss · ‎03-10-2021

Hi Everyone,

Below is my query:

index="abc*" OR index="xyz*" | eval raw_len=len(_raw) | eval GB=raw_len/pow(1024,3) | timechart sum(GB) as total_GB by sourcetype

I am displaying the trend for last 7 days.

Since its a saved search I want to display last 7 days for last 3 months.

Can someone guide me how is that possible.

Thanks in advance

to4kawa · ‎03-12-2021

sample:

index=_internal earliest=0 sourcetype=splunkd_*| bin span=1d _time | stats sum(eval(len(_raw))) as bytes by _time sourcetype
| eval KB=round(bytes/1024,2)
| streamstats window=3 avg(KB) as trend by sourcetype
| fields - bytes
| xyseries _time sourcetype KB trend

try bin and stats , not timechart

View solution in original post

to4kawa · ‎03-12-2021

sample:

index=_internal earliest=0 sourcetype=splunkd_*| bin span=1d _time | stats sum(eval(len(_raw))) as bytes by _time sourcetype
| eval KB=round(bytes/1024,2)
| streamstats window=3 avg(KB) as trend by sourcetype
| fields - bytes
| xyseries _time sourcetype KB trend

try bin and stats , not timechart

How to show trend for last 7 days for last 3 months

chart

panel

simple XML

timechart

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation