Help with timewrap Command

Shashank_87 · ‎11-14-2019

Hi, I am trying to show a comparison of traffic on my website for today, yesterday and last week. I am using below query for getting the results. My query is if i put that into a chart then on x-axis, i get time field which shows time for last 24 hours. So what does it mean exactly?
I mean does it show the 7 days before on this time, this was the traffic? I am not able to get the _time field understanding here.
Can someone help?

index=web_prod sourcetype=access_combined req_content="/" earliest=-8d@d latest=now
| timechart count span=1h
| timewrap d
| table _time 1day_before 7days_before latest_day

bowesmana · ‎06-28-2020

The timewrap normalises all the time series on to the same time window, i.e. in your case the last 24 hours. It will create a new series for each of the days going back in time in your search time range

I think your field names are not quite right

| table _time 1day_before 7days_before latest_day

Missing '_' character in fields

Jegan · ‎06-28-2020

This would work

index=webprod sourcetype=accesscombined reqcontent="/" | timechart count span=1h | timewrap d | table _time, _span, 1daybefore, 7daysbefore, latestday

Jegan · ‎06-28-2020

Got answer for the above?

Help with timewrap Command

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...