My requirement is like I need to create two panels in my dashboard.
First Panel: When I am choosing last 15 min means I need to get the values from 10 am to 10.15am for today's date(for example).
Second Panel: In second Panel I need to get the data from 10am to 10.15 am for yesterday's date.
It should be like comparison between today's data vs yesterday's data.please help me how to frame query for second Panel?
Hi @Als123,
sorry:a typing error, please try this:
index=xyz [ search index=_internal | head 1 | addinfo | eval earliest=info_min_time-86400, latest=info_max_time-86400 | fields earliest latest ]
| timechart span=5m count by specification
Ciao.
Giuseppe
Hi @Als123,
you have to put in your dashboard the Time Picker setted e.g to the last 15 minutes.
In the first panel, you take the value from the Time Picker as it is.
In the second panel you use a search like this (if the Time Picket token is called e.g. "Time"):
your_search [ | makeresults | eval earliest=relative_time($Time.earliest$,"-1d"), latest=relative_time($Time.latest$,"-1d") | fields earliest latest ]
| ...
Ciao.
Giuseppe
I am getting Error in 'eval' command:The expression is malformed.Expected ).
Hi @gcusello ,
I gave my query like this .
<query>index=xyz |makeresults|eval earliest=relative_time($field1.earliest$,"-1d"),latest=relative_time($field1.latest$,"-1d")|fields earliest latest|timechart span =5m count by specification </query>
My token name is field1
Hi @Als123,
it isn't correct: the square parenthesys of the subsearch are missing
<query>
index=xyz [ | makeresults | eval earliest=relative_time($field1.earliest$,"-1d"), latest=relative_time($field1.latest$,"-1d") | fields earliest latest ]
| timechart span =5m count by specification
</query>
In few words, you use a subsearch to calculate the new variables earliest and latest.
One hint: give always a name to the tokens, don't leave $field1$.
Ciao.
Giuseppe
Hi @gcusello ,
I have used the query u mentioned. But again I am getting "Erroe in 'eval' command.The expression is malformed.Expected)" error in my panel.
Hi Team,
If I am modifying the query like this ("$field1.earliest$"), I am not getting eval error but I am not getting any search results.
<query> index=xyz [ | makeresults | eval earliest=relative_time("$field1.earliest$","-1d"), latest=relative_time("$field1.latest$","-1d") | fields earliest latest ] | timechart span =5m count by specification </query
Please help on this.
Hi @Als123,
please try this:
index=xyz [ search index=_internal ! head 1 | addinfo | eval earliest=info_min_time-86400, latest=info_max_time-86400 | fields earliest latest ]
| timechart span =5m count by specification
Ciao.
Giuseppe
Hi @gcusello ,
I am getting No results found for above query.
Hi @Als123,
sorry:a typing error, please try this:
index=xyz [ search index=_internal | head 1 | addinfo | eval earliest=info_min_time-86400, latest=info_max_time-86400 | fields earliest latest ]
| timechart span=5m count by specification
Ciao.
Giuseppe
Hi @gcusello ,
I have tried like this before also .In this case also I got No results found only.
are you sure to have events in the yesterday time range?
I tried this search on _internal in my Splunk and it runs.
Ciao.
Giuseppe
Hi @gcusello ,
Yeah in yesterday's time range result is there . But don't know why I am getting no results.I have used the same query as you mentioned.
Hi @Als123,
at first check the search using _internal, so you'r sure that the search is correct.
index=_internal [ search index=_internal | head 1 | addinfo | eval earliest=info_min_time-86400, latest=info_max_time-86400 | fields earliest latest ]
| timechart span=5m count
Then separately run each search
index=_internal | head 1 | addinfo | eval earliest=info_min_time-86400, latest=info_max_time-86400 | fields earliest latest
and then using the yesterday time frame
index=xyz
| timechart span=5m count by specification
Then if you have results in both the searches, try:
index=xyz [ search index=_internal | head 1 | addinfo | eval earliest=info_min_time-86400, latest=info_max_time-86400 | fields earliest latest ]
So you can see where's the problem .
Ciao.
Giuseppe
P.S.: tell me if I can help you more, otherwise, Karma Points are appreciated 😉
Hi @gcusello
Now it is working fine for me.Thank you so much for your help.
Hi @gcusello ,
Thank you for your help. I am having another one question.
In panel 1, I am having two graphs (Success and Failure) for present date.
In panel 2, I am having two graphs (Success and Failure) for yesterday's date.
I need all 4 graphs (panel 1 and panel 2) in a single graph. With yesterday and today named in X or Y axis. Please help on this .