Dashboards & Visualizations

compare results from today to yesterday - search doesn't work as dashboard element

Conradj
Path Finder

Hi,

I know this has been done to death several times, but my take on the issue is slightly different.

I have the following search that works.

index=platform_logs sourcetype=UpdateLog earliest=@d latest=now "Download completed successfully" | eval ReportKey="Today" | append [search index=platform_logs sourcetype=UpdateLog earliest=-1d@d latest=-1d "Download completed successfully" | eval ReportKey="Yesterday"] | stats count by ReportKey

It gives me a nice table showing the number of successful downloads "today" compared to "yesterday" at the time the search is run. This way I can see if these particular downloads are tracking correctly.

However,

If I configure this search as a dashboard it seems to hard code the earliest and latest within the code and it only every displays me the result for "Today"

I saved this as a dashboard so I could pull the code out for another app I am writing and the logic was as follows:

<table>
  <title>Feed Download : Today vs Yesterday</title>
  <searchString>index=platform_logs sourcetype=UpdateLog earliest=@d latest=now "Download completed successfully" | eval ReportKey="Today" | append [search index=platform_logs sourcetype=UpdateLog earliest=-1d@d latest=-1d "Download completed successfully" | eval ReportKey="Yesterday"] | stats count by ReportKey</searchString>
  <earliestTime>1393758000</earliestTime>
  <latestTime>1393844400</latestTime>
</table>

The dashboard works ... but if I pull the code into a different app/dashboard it doesn't.

If I replace the and tags with and I still only get the results from Today.

My other option would be to split these into two different dashboard elements, but then I would not be able to do any further logic of alerting if there is a difference between the two results
Cheers,

C.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Your search is always giving you today's results because it contains fixed earliest=@d latest=now time modifiers.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

That's weird - what happens when you remove the append like so?

index=platform_logs sourcetype=UpdateLog earliest=-d@d latest=now "Download completed successfully" | timechart span=1d count

You'll get two counts, split into today and yesterday.

Also, your latest in the subsearch probably should have been @d rather than -1d.

0 Karma

Conradj
Path Finder

The search is two searches joined together using append, both with their own time ranges, also the search works when it is run from the search app and when it is run from its own dashboard. If I copy the dashboard code out and into another dashboard then I only see results for "today".

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!