Solved: Comparing counts for different time ranges

queryaslan · ‎12-15-2021

Hi , when I'm deploying new changes to my services I want to compare the last day's error logs to the last week to see if there has been an increase for a specific message. I have trouble figuring out how I display the counts for the different time ranges by message.

This kind of gives the correct result but the same message for last and this week will not be grouped correctly.

sourcetype="my pod" level="error" | eval marker = if (_time < relative_time(now(), "-1d@d"),
"lastweek", "thisweek") | multireport [where marker="thisweek" | stats count as this week by message] [where marker="lastweek" | stats count as last week by message]

Grateful for any help

ITWhisperer · ‎12-15-2021

sourcetype="my pod" level="error" 
[| makeresults
| eval days=mvappend("0","7")
| mvexpand days
| eval earliest=relative_time(now(),"-".tostring(1+days)."d@d")
| eval latest=relative_time(now(),"-".tostring(days)."d@d")
| table earliest latest]
| bin _time span=1d
| stats count by _time message
| eval time=if(_time<relative_time(now(),"-1d@d"),"Count before yesterday","Count yesterday")
| xyseries message time count

View solution in original post

ldongradi_splun · ‎12-15-2021

Assuming you use | timechart, you can immediately after use | timewrap to let the display split by your favorite span.

For example :

... earliest=-1d @d | timechart count span=1h | timewrap 1h
... earliest=@w | timechart count span=1h | timewrap 1d
.. earliest=-4w@w | timechart count span=1d | timewrap 1d

Timewrap will automaticaly add new series with a suffix as ...1hour_before ...2days_before ... latest_day

queryaslan · ‎12-15-2021

Hmm won't bin group per _time range like this:

Message	_time
failed	2021-12-15	1
failed	2021-12-14	1

Which makes it impossible to compare a lot of different messages.

So my wanted format is:

Message	Count before release time	Count after release time
failed	1	1

ITWhisperer · ‎12-15-2021

sourcetype="my pod" level="error" 
[| makeresults
| eval days=mvappend("0","7")
| mvexpand days
| eval earliest=relative_time(now(),"-".tostring(1+days)."d@d")
| eval latest=relative_time(now(),"-".tostring(days)."d@d")
| table earliest latest]
| bin _time span=1d
| stats count by _time message
| eval time=if(_time<relative_time(now(),"-1d@d"),"Count before yesterday","Count yesterday")
| xyseries message time count

PickleRick · ‎12-15-2021

You have the values. Now all you need is to transform them to the proper format.

If you have them like this:

Message	_time	count
failed	2021-12-15	1
failed	2021-12-14	1

You can do

| xyseries Message _time count

To transform it to the table you want (ok, you'll still have ugly _time values so you might want to stftime it first).

ITWhisperer · ‎12-15-2021

To get counts for yesterday and the same day a week ago, you could do this

sourcetype="my pod" level="error" 
[| makeresults
| eval days=mvappend("0","7")
| mvexpand days
| eval earliest=relative_time(now(),"-".tostring(1+days)."d@d")
| eval latest=relative_time(now(),"-".tostring(days)."d@d")
| table earliest latest]
| bin _time span=1d
| stats count by _time message

PickleRick · ‎12-15-2021

It seems you're overthinking it a bit 😉

Just use bin if you want fixed buckets and then do your

stats count by message _time

Oh, and if you compare to "-1d@d", it's not "last week", it's "yesterday" 😉

Comparing counts for different time ranges

index

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!