Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Trying to create a overlayed line chart

rmorlen
Splunk Employee
Splunk Employee
‎11-15-2012 07:57 AM

I am trying to create a line chart showing results from today compared to a week ago. I searched answers but still haven't got it to work. We are running Splunk 4.2.5.

I also looked at the blog at: Blog

Here is my query:
index=_audit earliest=-0d@d latest=now savedsearch_name=*

| eval searchStartTime=strptime(apiStartTime, "'%a %B %d %H:%M:%S %Y'")

| eval searchEndTime=strptime(apiEndTime, "'%a %B %d %H:%M:%S %Y'")

| eval searchExecuteTime=_time

| eval deltaFromEnd=searchExecuteTime - searchStartTime

| eval ReportKey="Today"

| append [search index=_audit earliest=-7d@d latest=-6d@d savedsearch_name=*

| eval searchStartTime2=strptime(apiStartTime, "'%a %B %d %H:%M:%S %Y'")

| eval searchEndTime2=strptime(apiEndTime, "'%a %B %d %H:%M:%S %Y'")

| eval searchExecuteTime2=_time

| eval deltaFromEnd=searchExecuteTime2 - searchStartTime2

| eval ReportKey="Last Week"

| eval new_time=_time+604800 ]

| eval _time=if(isnotnull(new_time), new_time, _time)

| timechart span=15m median(deltaFromEnd) by ReportKey

Tags (2)
0 Karma
Reply

jonuwz
Influencer
‎11-16-2012 05:10 AM

Try this approach instead :

index=_internal sourcetype=splunkd eps > 0 | addinfo 
| eval date_wnum=strftime(_time, "%V") 
| eval date_wnum_now=strftime(info_max_time, "%V")
| eval _time=_time+(date_wnum_now-date_wnum)*86400*7  
| eval date_wnum=if(date_wnum==date_wnum_now,"This week",(date_wnum_now-date_wnum)." weeks ago")
| bin _time span=1h
| chart avg(eps) over _time by date_wnum
| makecontinuous _time

You can just alter your search range and it'll cope with it rather than having to alter your search all the time.

Reply

jonuwz
Influencer
‎11-19-2012 07:52 AM

Thats because the example uses a search with lots and lots of data.

0 Karma
Reply

rmorlen
Splunk Employee
Splunk Employee
‎11-19-2012 07:49 AM

Doesn't appear to be working very well. Really, really slow.

Thanks for the suggestion.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...