Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Comparing two searches from separate time rang...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bencooper1
Engager
11-01-2019
01:02 PM
Hello,
I am trying to compare two time windows in the same index but I would like the chart comparing them to be based on a specified name of those time ranges rather than on time.
For example:
Release_A = October 2nd
Release_B = September 20th
(index=.... url=* earliest="10/02/2019:00:00:00" latest="10/02/2019:23:59:59") OR (index=... url=* earliest="09/20/2019:00:00:00" latest="09/20/2019:23:59:59")
| chart avg(seconds) by _time span=1d
I want the chart x-axis values to be Release_A and Release_B rather than a timeline.
Any advice on how to do this would be very appreciated.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mayurr98
Super Champion
11-01-2019
01:59 PM
try this:
(index=.... url= earliest="10/02/2019:00:00:00" latest="10/02/2019:23:59:59") OR (index=... url= earliest="09/20/2019:00:00:00" latest="09/20/2019:23:59:59")
| chart avg(seconds) by _time span=1d
| convert ctime(_time) timeformat="%B %d"
OR
(index=.... url= earliest="10/02/2019:00:00:00" latest="10/02/2019:23:59:59") OR (index=... url= earliest="09/20/2019:00:00:00" latest="09/20/2019:23:59:59")
| eval time=case(date_mday="2","Release_A",date_mday="20","Release_B")
| chart avg(seconds) by time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mayurr98
Super Champion
11-01-2019
01:59 PM
try this:
(index=.... url= earliest="10/02/2019:00:00:00" latest="10/02/2019:23:59:59") OR (index=... url= earliest="09/20/2019:00:00:00" latest="09/20/2019:23:59:59")
| chart avg(seconds) by _time span=1d
| convert ctime(_time) timeformat="%B %d"
OR
(index=.... url= earliest="10/02/2019:00:00:00" latest="10/02/2019:23:59:59") OR (index=... url= earliest="09/20/2019:00:00:00" latest="09/20/2019:23:59:59")
| eval time=case(date_mday="2","Release_A",date_mday="20","Release_B")
| chart avg(seconds) by time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bencooper1
Engager
11-04-2019
08:25 AM
That helped a lot and I will definitely be using that eval-case command in the future.
Thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
11-01-2019
01:34 PM
(index=.... url= earliest="10/02/2019:00:00:00" latest="10/03/2019:00:00:00") OR (index=... url= earliest="09/20/2019:00:00:00" latest="09/21/2019:00:00:00")
| timechart avg(seconds) span=1d
Hi, try timechart
Get Updates on the Splunk Community!
Get Schooled with Splunk Education: Explore Our Latest Courses
At Splunk Education, we’re dedicated to providing incredible learning experiences that cater to every skill ...
Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL
Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL
The Splunk AI Assistant for SPL ...
Buttercup Games: Further Dashboarding Techniques (Part 5)
This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
