Splunk Enterprise

line chart comparison between yesterday and todays data

selvam_sekar
Path Finder

Hi,

I have requirement to show the line chart comparison between todays count vs previous day. And, I have below SPL but we see the data from yesterday and today, and each graph line is separate.

 I want to see the lines together, one superimposed on the other. please could you suggest?

selvam_sekar_2-1702462177610.png

 

please can you suggest to compare them?

Current SPL:  

basesearch earliest=-1d@d latest=now
| eval Day=if(_time<relative_time(now(),"@d"),"Yesterday","Today")
| timechart span=15m count by Day

Current visualization:

selvam_sekar_0-1702461940437.png

Expected visualization is:

selvam_sekar_1-1702462074024.png

 

 

Labels (2)
Tags (1)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

Hi

have you look timewrap command?

You could try something like 

basesearch earliest=-1d@d latest=now
| timechart span=15m count
| timewrap d 

Your result shows little bit weird as yesterday you have a whole day, but today is only from midnight to now.

r. Ismo 

View solution in original post

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

have you look timewrap command?

You could try something like 

basesearch earliest=-1d@d latest=now
| timechart span=15m count
| timewrap d 

Your result shows little bit weird as yesterday you have a whole day, but today is only from midnight to now.

r. Ismo 

0 Karma

selvam_sekar
Path Finder

Thanks @isoutamo . How do we get the comparison between today vs yesterday with some time line.

Currently I am getting yesterday whole day(24 hrs) but today midnight to upto now. 

 

is it possible for us to bring only today (midnight till now) vs same timeframe previous day in the chart?

Current SPL:

basesearch earliest=-1d@d latest=now
| timechart span=1h count
| timewrap d series=short
| fields _time s1 s0
| rename s1 as today, s0 as yesterday
0 Karma

isoutamo
SplunkTrust
SplunkTrust

Maybe not exactly what you are looking, but at least you could cleared out (set to 0) those events like

basesearch earliest=-1d@d latest=now
| eval takeIn = case (_time>=relative_time(now(),"@d") ,"take",
                      _time<=relative_time(now(), "-1d"), "take",
                      true(), "drop")
| where takeIn = "take"
| timechart span=1h count
| timewrap d series=short
| fields _time s1 s0
| rename s1 as today, s0 as yesterday
0 Karma

selvam_sekar
Path Finder

Thanks @isoutamo . This works as expected 🙂 and only thing is not grouping the the user_id but rather it's grouping by timeformat/_time every 1 hr.

 

is it possible to group by user_id?

current spl:

base search | rex user_id

| eval takeIn = case (_time>=relative_time(now(),"@d") ,"take",
_time<=relative_time(now(), "-1d"), "take",
true(), "drop")
| where takeIn = "take"
| timechart span=1h count
| timewrap d series=short
| fields _time s1 s0 
| rename s1 as today, s0 as yesterday | where today !=""
0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...