Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

line chart comparison between yesterday and todays data

selvam_sekar
Path Finder
‎12-13-2023 02:11 AM

Hi,

I have requirement to show the line chart comparison between todays count vs previous day. And, I have below SPL but we see the data from yesterday and today, and each graph line is separate.

 I want to see the lines together, one superimposed on the other. please could you suggest?

selvam_sekar_2-1702462177610.png

 

please can you suggest to compare them?

Current SPL:  

basesearch earliest=-1d@d latest=now
| eval Day=if(_time<relative_time(now(),"@d"),"Yesterday","Today")
| timechart span=15m count by Day

Current visualization:

selvam_sekar_0-1702461940437.png

Expected visualization is:

selvam_sekar_1-1702462074024.png

 

 

Labels (2)
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎12-13-2023 03:01 AM

Hi

have you look timewrap command?

You could try something like 

basesearch earliest=-1d@d latest=now
| timechart span=15m count
| timewrap d

Your result shows little bit weird as yesterday you have a whole day, but today is only from midnight to now.

r. Ismo 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎12-13-2023 03:01 AM

Hi

have you look timewrap command?

You could try something like 

basesearch earliest=-1d@d latest=now
| timechart span=15m count
| timewrap d

Your result shows little bit weird as yesterday you have a whole day, but today is only from midnight to now.

r. Ismo 

0 Karma
Reply
Solved! Jump to solution

selvam_sekar
Path Finder
‎12-13-2023 08:52 AM

Thanks @isoutamo . How do we get the comparison between today vs yesterday with some time line.

Currently I am getting yesterday whole day(24 hrs) but today midnight to upto now. 

 

is it possible for us to bring only today (midnight till now) vs same timeframe previous day in the chart?

Current SPL:

basesearch earliest=-1d@d latest=now
| timechart span=1h count
| timewrap d series=short
| fields _time s1 s0
| rename s1 as today, s0 as yesterday
0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎12-13-2023 09:20 AM

Maybe not exactly what you are looking, but at least you could cleared out (set to 0) those events like

basesearch earliest=-1d@d latest=now
| eval takeIn = case (_time>=relative_time(now(),"@d") ,"take",
                      _time<=relative_time(now(), "-1d"), "take",
                      true(), "drop")
| where takeIn = "take"
| timechart span=1h count
| timewrap d series=short
| fields _time s1 s0
| rename s1 as today, s0 as yesterday
0 Karma
Reply
Solved! Jump to solution

selvam_sekar
Path Finder
‎12-15-2023 06:04 AM

Thanks @isoutamo . This works as expected 🙂 and only thing is not grouping the the user_id but rather it's grouping by timeformat/_time every 1 hr.

 

is it possible to group by user_id?

current spl:

base search | rex user_id

| eval takeIn = case (_time>=relative_time(now(),"@d") ,"take",
_time<=relative_time(now(), "-1d"), "take",
true(), "drop")
| where takeIn = "take"
| timechart span=1h count
| timewrap d series=short
| fields _time s1 s0 
| rename s1 as today, s0 as yesterday | where today !=""
0 Karma
Reply
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...