Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why does splunk timepicker dashboard shows result for today and yesterday?

mikeyty07
Communicator
‎08-23-2023 03:14 PM

I have a requirement to build a dashboard, when selected between through date and time range
suppose  8/16/2023 17:00:00 and  8/16/2023 18:00:00. And want to show results for these dates as well as the previous day same hour results

todays count  yesterdays count
100 200

 

is it possible to have auto search and show two results through one time picker selection?

Labels (4)
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-24-2023 01:21 AM

Yes, you still need to do the counts - I assumed you knew how to do that - all I was showing was how to get the previous day's events using the timepicker (as you asked).

index=main source="*eligible*" "/api/info/eligible"
[| makeresults
| addinfo
| eval row=mvrange(0,2)
| mvexpand row
| eval earliest=relative_time(info_min_time,"-".row."d")
| eval latest=relative_time(info_max_time,"-".row."d")
| table earliest latest]
| bin _time span=1d
| stats count by _time

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-23-2023 03:24 PM

You could try something like this

<your index> [| makeresults
| addinfo
| eval row=mvrange(0,2)
| mvexpand row
| eval earliest=relative_time(info_min_time,"-".row."d")
| eval latest=relative_time(info_max_time,"-".row."d")
| table earliest latest]
0 Karma
Reply
Solved! Jump to solution

mikeyty07
Communicator
‎08-23-2023 07:54 PM

I added in top of query its showing data in _raw format instead of table. Am I missing anything?
my query


index=main source="*eligible*" "/api/info/eligible"
[| makeresults
| addinfo
| eval row=mvrange(0,2)
| mvexpand row
| eval earliest=relative_time(info_min_time,"-".row."d")
| eval latest=relative_time(info_max_time,"-".row."d")
| table earliest latest]

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-24-2023 01:21 AM

Yes, you still need to do the counts - I assumed you knew how to do that - all I was showing was how to get the previous day's events using the timepicker (as you asked).

index=main source="*eligible*" "/api/info/eligible"
[| makeresults
| addinfo
| eval row=mvrange(0,2)
| mvexpand row
| eval earliest=relative_time(info_min_time,"-".row."d")
| eval latest=relative_time(info_max_time,"-".row."d")
| table earliest latest]
| bin _time span=1d
| stats count by _time
Reply
Solved! Jump to solution

mikeyty07
Communicator
‎08-24-2023 06:19 AM

thanks, It worked. Also in the same query is it possible to get from the  last week day too including today and yesterday?

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-24-2023 06:21 AM 
index=main source="*eligible*" "/api/info/eligible"
[| makeresults
| addinfo
| eval row=mvrange(0,3)
| mvexpand row
| eval row=if(row=2,7,row)
| eval earliest=relative_time(info_min_time,"-".row."d")
| eval latest=relative_time(info_max_time,"-".row."d")
| table earliest latest]
| bin _time span=1d
| stats count by _time
Reply
Solved! Jump to solution

mikeyty07
Communicator
‎08-24-2023 07:14 AM

I wanted to check the percent increase/ decrease on the same query is it possible to run it on same?

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-24-2023 07:46 AM

Try something like this

index=main source="*eligible*" "/api/info/eligible"
[| makeresults
| addinfo
| eval row=mvrange(0,3)
| mvexpand row
| eval row=if(row=2,7,row)
| eval earliest=relative_time(info_min_time,"-".row."d")
| eval latest=relative_time(info_max_time,"-".row."d")
| table earliest latest]
| bin _time span=1d
| stats count by _time
| eval day=case(_time>=relative_time(now(),"@d"),"Today",_time>=relative_time(now(),"-1d@d"),"Yesterday",true(),"LastWeek")
| eval {day}=count
| fields - count _time
| stats values(*) as *
| eval dailychange=100*Today/Yesterday
| eval weeklychange=100*Today/LastWeek
Reply
Solved! Jump to solution

mikeyty07
Communicator
‎08-24-2023 08:22 AM

when i try to use time picker like certain date and time it is showing me like 

lastweekday

25027

25161

25231

lastweek

 

but when i do last 4 hours or minutes all the values are showing like

todayyesterdaylastweekdailychangedayweeklychange
999249102972101160-3.75

lastweek

today

yesterday

-1.92

 

can the timepicker show results like all values in the second table?

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-24-2023 09:18 AM

Perhaps you need to calculate based on info_min_time?

index=main source="*eligible*" "/api/info/eligible"
[| makeresults
| addinfo
| eval row=mvrange(0,3)
| mvexpand row
| eval row=if(row=2,7,row)
| eval earliest=relative_time(info_min_time,"-".row."d")
| eval latest=relative_time(info_max_time,"-".row."d")
| table earliest latest]
| bin _time span=1d
| stats count by _time
| addinfo
| eval day=case(_time>=relative_time(info_min_time,"@d"),"Today",_time>=relative_time(info_min_time,"-1d@d"),"Yesterday",true(),"LastWeek")
| eval {day}=count
| fields - count _time info_*
| stats values(*) as *
| eval dailychange=100*Today/Yesterday
| eval weeklychange=100*Today/LastWeek
0 Karma
Reply
Solved! Jump to solution

mikeyty07
Communicator
‎08-24-2023 07:39 PM

It still shows same but instead gives today

todayday

25027

25161

25231

today
0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-24-2023 07:51 PM

Sorry I missed removing the day field

index=main source="*eligible*" "/api/info/eligible"
[| makeresults
| addinfo
| eval row=mvrange(0,3)
| mvexpand row
| eval row=if(row=2,7,row)
| eval earliest=relative_time(info_min_time,"-".row."d")
| eval latest=relative_time(info_max_time,"-".row."d")
| table earliest latest]
| bin _time span=1d
| stats count by _time
| addinfo
| eval day=case(_time>=relative_time(info_min_time,"@d"),"Today",_time>=relative_time(info_min_time,"-1d@d"),"Yesterday",true(),"LastWeek")
| eval {day}=count
| fields - count _time info_* day
| stats values(*) as *
| eval dailychange=100*Today/Yesterday
| eval weeklychange=100*Today/LastWeek
0 Karma
Reply
Solved! Jump to solution

mikeyty07
Communicator
‎08-24-2023 08:21 PM

It only showed this now,

today

25027

25161

25231

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-25-2023 01:35 AM

Please share your full query in a code block </>

0 Karma
Reply
Solved! Jump to solution

mikeyty07
Communicator
‎08-25-2023 07:00 AM

index=main source="*eligible*" "/api/info/eligible"
[| makeresults
| addinfo
| eval row=mvrange(0,3)
| mvexpand row
| eval row=if(row=2,7,row)
| eval earliest=relative_time(info_min_time,"-".row."d")
| eval latest=relative_time(info_max_time,"-".row."d")
| table earliest latest]
| bin _time span=1d
| stats count by _time
| addinfo
| eval day=case(_time>=relative_time(info_min_time,"@d"),"Today",_time>=relative_time(info_min_time,"-1d@d"),"Yesterday",true(),"LastWeek")
| eval {day}=count
| fields - count _time info_* day
| stats values(*) as *
| eval dailychange=100*Today/Yesterday
| eval weeklychange=100*Today/LastWeek

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-25-2023 08:00 AM

Sorry, I should have used info_max_time

index=main source="*eligible*" "/api/info/eligible"
[| makeresults
| addinfo
| eval row=mvrange(0,3)
| mvexpand row
| eval row=if(row=2,7,row)
| eval earliest=relative_time(info_min_time,"-".row."d")
| eval latest=relative_time(info_max_time,"-".row."d")
| table earliest latest]
| bin _time span=1d
| stats count by _time
| addinfo
| eval day=case(_time>=relative_time(info_max_time,"@d"),"Today",_time>=relative_time(info_max_time,"-1d@d"),"Yesterday",true(),"LastWeek")
| eval {day}=count
| fields - count _time info_* day
| stats values(*) as *
| eval dailychange=100*Today/Yesterday
| eval weeklychange=100*Today/LastWeek
0 Karma
Reply
Solved! Jump to solution

mikeyty07
Communicator
‎08-25-2023 02:16 PM

now its showing on two column, today column is missing

 

lastweekyesterday

101160

102972

999249
0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-26-2023 01:49 PM

What time span did you have in your search?

0 Karma
Reply
Solved! Jump to solution

mikeyty07
Communicator
‎08-28-2023 10:33 AM

I selected from time picker like 8/14/23 00:00:00 8/15/23 00:00:00

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-30-2023 05:47 AM 
index=main source="*eligible*" "/api/info/eligible"
[| makeresults
| addinfo
| eval row=mvrange(0,3)
| mvexpand row
| eval row=if(row=2,7,row)
| eval earliest=relative_time(info_min_time,"-".row."d")
| eval latest=relative_time(info_max_time,"-".row."d")
| table earliest latest]
| bin _time span=1d
| stats count by _time
| addinfo
| eval day=case(_time>=relative_time(info_max_time,"-1d"),"Today",_time>=relative_time(info_max_time,"-2d"),"Yesterday",true(),"LastWeek")
| eval {day}=count
| fields - count _time info_* day
| stats values(*) as *
| eval dailychange=100*Today/Yesterday
| eval weeklychange=100*Today/LastWeek
Reply
Solved! Jump to solution

mikeyty07
Communicator
‎08-24-2023 07:54 AM

thank you, it worked but for percentage calculation i did this


| eval dailychange=(((Today-Yesterday)/Today)*100)
| eval weeklychange=(((Today-LastWeek)/Today)*100)

0 Karma
Reply
Get Updates on the Splunk Community!

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

 Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team for an ...

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...