Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

trend from last week/month/quarter

sanketsahoo
Engager
‎04-12-2021 03:42 PM

Hello Everyone,

I am stuck at building a trending dashboard.

My data in table format:-

_time,  ProjectName, summary1, summary2

2021-04-06 05:41:30.027ProjectA121173
2021-04-07 07:06:00.983ProjectA121173
2021-04-08 02:30:47.883ProjectA121173
2021-04-09 05:09:43.243ProjectA130173
2021-04-10 12:07:51.513ProjectA130173

 

I want to build a dashboard visualization such as a comparison for summary data and yesterday data/last weeks data, last month , last quarter data based on a input field.

 

So that we can derive what was the summary last week for project A, last month for project A, and so on

 

I tried 
the search 
| timechart avg(summary1), avg(summary2) by ProjectName span=w@w1
| timewrap 1mon

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ericjorgensenjr
Path Finder
‎04-13-2021 07:46 AM

This can be accomplished in different ways, but I would recommend something like this:

<your search> earliest=-1w latest=now | eval ProjectName=ProjectName." - current" | append [ search <your search> earliest=-2w latest=-1w | eval ProjectName=ProjectName." - previous", _time=_time+604800 ] | timechart avg(summary1) as summary1, avg(summary2) as summary2 by ProjectName

 

It's possible to replace the earliest and latest from both searches with variables from your form inputs. For example, the user could use a time picker for the time in the main search, then you can have an input where the user enters the number of days/weeks/etc... to shift back. Then you eval the earliest time token, (e.g. <eval token="sub_earliest">$time_token.earliest$-$input_shift_token$*24*60*60</eval>, this should give you epoch time for earliest, replace in your subsearch earliest=$sub_earliest$, then follow the same process for latest).

 

Hope this helps!

View solution in original post

Reply
Solved! Jump to solution
Solution

ericjorgensenjr
Path Finder
‎04-13-2021 07:46 AM

This can be accomplished in different ways, but I would recommend something like this:

<your search> earliest=-1w latest=now | eval ProjectName=ProjectName." - current" | append [ search <your search> earliest=-2w latest=-1w | eval ProjectName=ProjectName." - previous", _time=_time+604800 ] | timechart avg(summary1) as summary1, avg(summary2) as summary2 by ProjectName

 

It's possible to replace the earliest and latest from both searches with variables from your form inputs. For example, the user could use a time picker for the time in the main search, then you can have an input where the user enters the number of days/weeks/etc... to shift back. Then you eval the earliest time token, (e.g. <eval token="sub_earliest">$time_token.earliest$-$input_shift_token$*24*60*60</eval>, this should give you epoch time for earliest, replace in your subsearch earliest=$sub_earliest$, then follow the same process for latest).

 

Hope this helps!

Reply
Solved! Jump to solution

sanketsahoo
Engager
‎04-13-2021 02:53 PM

 Thanks it helps.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-13-2021 06:11 AM

What determines whether the data is from yesterday (presumably this is relative to today?) or last 24 hours?, what about last week (data from 7 days ago or last 7 days or last Sunday to previous Monday)? What about last month (same day of the month in the previous month - what about when the lengths aren't the same - last 30 days, the whole of last month)? Perhaps, you could try adding columns tagging each event with whether it should be included in the summary for yesterday, last week, last month, last quarter etc. Then you might be able to use eventstats to summarise your statistics over those periods.

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...