Reporting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to check data during a time period relative to another time period

TylerJVitale
Explorer
‎07-02-2019 06:22 AM

I want to be able to create a report of available memory from the last 24 hours, checking the available memory the last 4 hours each our. So for example,

9am: Available Memory from 5-9am
10am: Available Memory from 6-10am

and so on. How would I set this up?

Tags (1)
0 Karma
Reply

mdsnmss
SplunkTrust
SplunkTrust
‎07-02-2019 07:20 AM

In order to have a running report for 24 hours with those intervals what I would do is to schedule the report for every hour with a search range of the last 4 hours. This will give you the available memory for a single 4 hour period in which you can add to a lookup table as a part of the search. Within the search we can build in logic to only retain a specific range of data in the lookup and say if a row in the table is >24 hours old, drop it from the table. Do you have a search to work with?

0 Karma
Reply

TylerJVitale
Explorer
‎07-02-2019 07:29 AM

|bin _time span=4h|stats avg(Value) as "Last 4h"|join [search |bin _time span=24h|stats avg(Value) as "Last 24h"]|sort- _time|head 1

@mdsnmss As of now I have this and if I have a report run every hour and append the results to a csv lookup file, I think it should work, giving me an average over the last 4h and last 24h, right?

However, I'm doing this for someone else and I think they might need historical data, like doing this same thing, but from every hour over the past 24 hours, and I'm not sure if that is possible. If it is, great. If not, if you could just look over my query and tell me if that's what I can do going forward, I'd appreciate it.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...