Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

multiple searches in one graph

nirt
Path Finder
‎07-12-2012 05:37 AM

Hi,
I need to create a graph that contains 2 searches, to compare today's search and last week's search
I know there are lot of guides here that explain how to do it, however I'm quite a new splunk user and have tried for the past hours to try and get the graph to show properly however I was not able to product such working search
I was wondering if you guys could assist me in creating such search
My common search is as following:
host="stats" | xmlkv | timechart max(usersCount)

Thank you guys in advance

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

carasso
Splunk Employee
Splunk Employee
‎05-21-2014 12:01 PM

Comparing week-over-week results used to a pain in Splunk, with complex date calculations. No more. Now there is a better way.

I wrote a convenient search command called "timewrap" that does it all, for arbitrary time periods.

... | timechart count span=1d | timewrap w

That's it!

http://apps.splunk.com/app/1645/

View solution in original post

Reply
Solved! Jump to solution
Solution

carasso
Splunk Employee
Splunk Employee
‎05-21-2014 12:01 PM

Comparing week-over-week results used to a pain in Splunk, with complex date calculations. No more. Now there is a better way.

I wrote a convenient search command called "timewrap" that does it all, for arbitrary time periods.

... | timechart count span=1d | timewrap w

That's it!

http://apps.splunk.com/app/1645/

Reply
Solved! Jump to solution

nirt
Path Finder
‎07-15-2012 04:59 AM

In the tip you have posted it says there is an issue displaying all content of an append search for versions prior to 4.3.1, however I'm using 4.3.3 and still have that issue

this search worked for me: compared yesterday to 2 days ago:
host="stats" earliest=-1d@d latest=-0d@d | xmlkv | eval ReportKey="today" | append maxtime=100 [ search host="stats" earliest=-2d@d latest=-1d@d | xmlkv | eval ReportKey="yesterday" | eval new_time=_time+86400] | eval _time=if(isnotnull(new_time), new_time, _time) | timechart span=10m max(usersCount) by ReportKey

0 Karma
Reply
Solved! Jump to solution

nirt
Path Finder
‎07-15-2012 07:08 AM

I'm having problems showing the graph properly when comparing last week's day to today
Each graph shows independatly instead of together
the following search is being used:

host="stats" earliest=-0d@d latest=+1d@d | xmlkv | eval ReportKey="today" | append maxtime=100 [ search host="stats" earliest=-7d@d latest=-6d@d | xmlkv | eval ReportKey="same day last week" | eval new_time=_time+86400] | eval _time=if(isnotnull(new_time), new_time, _time) |
timechart span=20m max(usersCount) by ReportKey

also tried eval new_time=_time+60*60*24*7

any ideas?

0 Karma
Reply
Solved! Jump to solution

nirt
Path Finder
‎07-12-2012 06:45 AM

I have read it and came up with this:
host="stats" earliest=-0d@d latest=now | xmlkv | eval ReportKey="today" | append [ search host="stats" earliest=-1d@d latest=-0d@d | xmlkv | eval ReportKey="yesterday" | eval _time=_time+86400 ] | timechart span=10m max(usersCount) by ReportKey

however, the graph does not look right - it shows all of today and then a small portiion of yesterday AFTER today instead in parallel

0 Karma
Reply
Solved! Jump to solution

sdaniels
Splunk Employee
Splunk Employee
‎07-12-2012 06:30 AM

Have you read through this? It gives a detailed walk through of one way to do it?

http://blogs.splunk.com/2012/02/19/compare-two-time-ranges-in-one-report/

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...