Solved: One Chart - one search and data plot over 2 separa...

Bart · ‎08-02-2024

Hi,
I'm trying to plot some data, over one chart for 2 different months not consecutive. i.e January and August,
looking to the below post
https://www.splunk.com/en_us/blog/tips-and-tricks/two-time-series-one-chart-and-one-search.html

trying to calculate median and plot just those 2 months in a single month timeframe
the below would work for consecutive months but can not figure out how to eval my time for random months, if I add to my info_min_time then my marker is ploted over several months.

earliest="1/1/2024:00:00:00" 
| bin span=1h _time
| addinfo
| eval marker = if(_time < info_min_time + 60*24*3600, "January","Febuary")| eval _time = if(_time < info_min_time + 60*24*3600, _time + 60*24*3600, _time)
|  chart count max(data) by _time marker

ITWhisperer · ‎08-05-2024

OK then you should be able to simply use a where command to keep just the events in the time ranges you want

View solution in original post

ITWhisperer · ‎08-02-2024

Try something like this

earliest="1/1/2024:00:00:00" 
| bin span=1h _time
| addinfo
| eval marker = if(_time < info_min_time + 60*24*3600, "January","Febuary")| eval _time = if(_time < info_min_time + 60*24*3600, _time + 60*24*3600, _time)
| timechart count max(data) by marker span=1h
| timewrap 1mon

Bart · ‎08-05-2024

Hi, Not exactly what I'm after. Timewrap will cause to chart 3 values, my erliest month of interest, anything in between and my last month.
I've tried to plan with eval _time vales but with no avail, perhaps this needs other approach, I'm trying to chart only the months of my interest to obtain clean view and to simplify calculations on those 2 month values when required.
Per below example I want to look at May and July only, thanks

ITWhisperer · ‎08-05-2024

OK then you should be able to simply use a where command to keep just the events in the time ranges you want

Bart · ‎08-05-2024

yea, I have managed to fix the overlay with the below

| where _time>=relative_time(now(), "-1mon@mon@w")

& to adjust
eval= if(_time < info_min_time + 30*24*3600, _time + 90*24*3600, _time)

still need to fix the latter to reflect exact d@m

ITWhisperer · ‎08-05-2024

Please share your current search and explain your requirement with respect to d@m

Bart · ‎08-05-2024

Here is my search:

...
earliest="4/1/2024:00:00:00" latest="8/1/2024:00:00:00"
| bin span=1h _time
| addinfo
| eval marker = if(_time < (relative_time(info_min_time,"+1mon@mon@w")), "April","July")
| eval _time = if(_time < (relative_time(info_min_time,"+1mon@mon@w")),_time + 90*24*3600, _time)
| chart count max(data) by _time marker
| where _time>=relative_time(now(), "-1mon@mon@w")

with the above my April chart is shifted over July but it does not starts from the first day of the month but last June.
in my eval _time shift: 3rd line from the bottom I would like to know how can I reflect exact month days instead doing "+90*23*3600", ( April,July = 31days, where June is 30), thanks

ITWhisperer · ‎08-05-2024

You are aligning your times to the beginning of the week that the month starts in and the beginning of the week is a Sunday, which in this case takes you back into the previous month. Given that months have different lengths, what exactly do you want your chart to show?

Bart · ‎08-05-2024

yeah that was it, my time setting not alighnt with my timezone, thanks

One Chart - one search and data plot over 2 separate timeframes

chart

timechart

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

October Community Champions: A Shoutout to Our Contributors!

Are you a member of the Splunk Community?