Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Comparing two searches from separate time ranges w...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bencooper1
Engager
11-01-2019
01:02 PM
Hello,
I am trying to compare two time windows in the same index but I would like the chart comparing them to be based on a specified name of those time ranges rather than on time.
For example:
Release_A = October 2nd
Release_B = September 20th
(index=.... url=* earliest="10/02/2019:00:00:00" latest="10/02/2019:23:59:59") OR (index=... url=* earliest="09/20/2019:00:00:00" latest="09/20/2019:23:59:59")
| chart avg(seconds) by _time span=1d
I want the chart x-axis values to be Release_A and Release_B rather than a timeline.
Any advice on how to do this would be very appreciated.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mayurr98
Super Champion
11-01-2019
01:59 PM
try this:
(index=.... url= earliest="10/02/2019:00:00:00" latest="10/02/2019:23:59:59") OR (index=... url= earliest="09/20/2019:00:00:00" latest="09/20/2019:23:59:59")
| chart avg(seconds) by _time span=1d
| convert ctime(_time) timeformat="%B %d"
OR
(index=.... url= earliest="10/02/2019:00:00:00" latest="10/02/2019:23:59:59") OR (index=... url= earliest="09/20/2019:00:00:00" latest="09/20/2019:23:59:59")
| eval time=case(date_mday="2","Release_A",date_mday="20","Release_B")
| chart avg(seconds) by time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mayurr98
Super Champion
11-01-2019
01:59 PM
try this:
(index=.... url= earliest="10/02/2019:00:00:00" latest="10/02/2019:23:59:59") OR (index=... url= earliest="09/20/2019:00:00:00" latest="09/20/2019:23:59:59")
| chart avg(seconds) by _time span=1d
| convert ctime(_time) timeformat="%B %d"
OR
(index=.... url= earliest="10/02/2019:00:00:00" latest="10/02/2019:23:59:59") OR (index=... url= earliest="09/20/2019:00:00:00" latest="09/20/2019:23:59:59")
| eval time=case(date_mday="2","Release_A",date_mday="20","Release_B")
| chart avg(seconds) by time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bencooper1
Engager
11-04-2019
08:25 AM
That helped a lot and I will definitely be using that eval-case command in the future.
Thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
11-01-2019
01:34 PM
(index=.... url= earliest="10/02/2019:00:00:00" latest="10/03/2019:00:00:00") OR (index=... url= earliest="09/20/2019:00:00:00" latest="09/21/2019:00:00:00")
| timechart avg(seconds) span=1d
Hi, try timechart
Get Updates on the Splunk Community!
Splunk Observability Synthetic Monitoring - Resolved Incident on Detector Alerts
We’ve discovered a bug that affected the auto-clear of Synthetic Detectors in the Splunk Synthetic Monitoring ...
Video | Tom’s Smartness Journey Continues
Remember Splunk Community member Tom Kopchak? If you caught the first episode of our Smartness interview ...
3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?
3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?
Learn how unique features like ...
