I have a feed going into Splunk currently that follows a trend that looks like it starts at a very small number, then increases during the day until the middle of the day then back down to a small number. What i am wanting to do, is build a search that will look at this day 7 days ago, for every hour add 10% and minus 10% so that i have a threshold that i can chart on my chart for today.
Basically, i want: today's chart, a minimum and a maximum all in the one chart. With the max and min being 10% difference of the time 7 days ago. This is used to say that if the logs of today are more than last week, then it will show me as it will go over the 10% threshold of 7 days ago.
You need to search for the events that you want to chart, and then alter the timerange so that they can be charted together, that can be done in the old way with manually setting a 'marker' and then adding to the _time field (first example) or you can use the timewrap command, which can be found here as an app: http://apps.splunk.com/app/1645/
For these sample queries data from the _internal index have been used, so you can cut-n-paste these code samples directly to play around with them, as the _internal index is present on all splunk installations. Just make sure that you have the proper access rights.
You could also with a simpler search where you get all events from the last week and filter out the results after the timewrap command;
index=_internal sourcetype=splunkd earliest=-7d@d group=per_index_thruput series="_internal"
| timechart span=1h avg(eps) as avg_eps
| timewrap d
| the rest of your commands for filtering out / manipulating fields