- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/0006d/0006db53e93e02f75a70b791d53de4db2c1334ef" alt="gcusello gcusello"
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
Hi @selvam_sekar,
did you explored the timewrap command at https://docs.splunk.com/Documentation/Splunk/9.2.0/SearchReference/Timewrap ?
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/0006d/0006db53e93e02f75a70b791d53de4db2c1334ef" alt="gcusello gcusello"
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
Hi @selvam_sekar,
did you explored the timewrap command at https://docs.splunk.com/Documentation/Splunk/9.2.0/SearchReference/Timewrap ?
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks @gcusello . Could you help me with below asks?
when we run the base query without timewrap, the todays count is only 6 and yesterday count us 19.
But, when we run the base query with timewrap the todays total is 25 and yesterday total is 13.
Splunk Query:
basesearch earliest=-7d@d latest=now()
| timechart span=1h count
| timewrap d series=short
| addtotals s*
| eval 7dayavg=Total/7.0
| table _time, s0, s1, Total, 7dayavg
| rename s0 as Today, s1 as yesterday
Results:
_time Today yesterday Total 7dayavg
2024-01-31 08:00 | 0 | 0 | 0 | 0.0 |
2024-01-31 09:00 | 0 | 0 | 0 | 0.0 |
2024-01-31 10:00 | 2 | 0 | 4 | 0.57 |
data:image/s3,"s3://crabby-images/1a552/1a552ff33d37f94e7c5bc13132edaa973c529815" alt=""