Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Query to compare total throughput for two distinct dates

chama4tem
Loves-to-Learn
‎11-29-2023 04:46 AM

I would like to compare total throughput for two dates 60 days apart (say, current and -60d). The query in the CMC that generates the throughput is 

index=_internal (host=`sim_indexer_url` OR host=`sim_si_url`) sourcetype=splunkd group=per_Index_thruput series!=_*
| timechart minspan=30s per_second(kb) as kb by series

I need the series information, but it could be binned into 1 whole day.

 

Labels (1)
Labels
0 Karma
Reply

chama4tem
Loves-to-Learn
‎11-30-2023 03:19 AM

90 days

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-30-2023 03:20 AM

So what is the time of your earliest event?

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-29-2023 05:16 AM

Try something like this

index=_internal (host=`sim_indexer_url` OR host=`sim_si_url`) sourcetype=splunkd group=per_Index_thruput series!=_* (earliest=@d latest=now) OR (earliest=-60d@d latest=-59d@d)
| timechart minspan=30s per_second(kb) as kb by series
0 Karma
Reply

chama4tem
Loves-to-Learn
‎11-30-2023 02:57 AM

Hi this doesn't work; I'm not getting anything for the earlier dates (and I have expanded the date range to two days before the -60 date and today).

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-30-2023 03:13 AM

What is the retention period on your index or the earliest event in your index?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...