Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Comparing attendance info for two months (Feb and July)

msage
Path Finder
‎08-03-2020 10:49 AM

I want to create a chart showing the attendance between pre covid (February) and current covid (July) for one of our offices. This is my current search which gets me the data I need but I'm unsure on how to overlap the data so we can see the direct comparison. 

| multisearch
[search index="physec_app_lenel" EVDESCR="Access Granted" READERDESC="TOK*" earliest="07/01/2020:20:00:00" latest="07/28/2020:23:00:00"
| eval Attendance="July"]
[search index="physec_app_lenel" EVDESCR="Access Granted" READERDESC="TOK*" earliest="02/01/2020:01:00:00" latest="02/28/2020:23:00:00"
| eval Attendance="February"]
| timechart span=1w dc(CARDNUM) by Attendance

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-03-2020 02:07 PM
You should have two series (one called "February" and one called "July") with the same start and end times on a single graph.
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-03-2020 11:43 AM

All you need to do is adjust the time range of one of the searches so it lines up with the other search.

| multisearch
[search index="physec_app_lenel" EVDESCR="Access Granted" READERDESC="TOK*" earliest="07/01/2020:20:00:00" latest="07/28/2020:23:00:00"
  | eval Attendance="July"]
[search index="physec_app_lenel" EVDESCR="Access Granted" READERDESC="TOK*" earliest="02/01/2020:01:00:00" latest="02/28/2020:23:00:00"
  | eval Attendance="February"
  | eval _time=_time + strptime("07/01/2020:20:00:00", "%m/%d/%Y:%H:%M:%S") - strptime("02/01/2020:20:00:00", "%m/%d/%Y:%H:%M:%S")]
| timechart span=1w dc(CARDNUM) by Attendance
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

msage
Path Finder
‎08-03-2020 01:55 PM

Hey thanks for the reply! I tried doing this but it seems to connect both series into one when I try

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-03-2020 02:07 PM
You should have two series (one called "February" and one called "July") with the same start and end times on a single graph.
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

msage
Path Finder
‎08-03-2020 05:49 PM

I got it to work thank you so much for your help!

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...