Query to compare total throughput for two distinct...

chama4tem · ‎11-29-2023

I would like to compare total throughput for two dates 60 days apart (say, current and -60d). The query in the CMC that generates the throughput is

index=_internal (host=`sim_indexer_url` OR host=`sim_si_url`) sourcetype=splunkd group=per_Index_thruput series!=_*
| timechart minspan=30s per_second(kb) as kb by series

I need the series information, but it could be binned into 1 whole day.

chama4tem · ‎11-30-2023

90 days

ITWhisperer · ‎11-30-2023

So what is the time of your earliest event?

ITWhisperer · ‎11-29-2023

Try something like this

index=_internal (host=`sim_indexer_url` OR host=`sim_si_url`) sourcetype=splunkd group=per_Index_thruput series!=_* (earliest=@d latest=now) OR (earliest=-60d@d latest=-59d@d)
| timechart minspan=30s per_second(kb) as kb by series

chama4tem · ‎11-30-2023

Hi this doesn't work; I'm not getting anything for the earlier dates (and I have expanded the date range to two days before the -60 date and today).

ITWhisperer · ‎11-30-2023

What is the retention period on your index or the earliest event in your index?

Query to compare total throughput for two distinct dates

monitoring console

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation