Re: How do you use timewarp in specific?

phamxuantung · ‎10-28-2021

Let's say I have this query

index = x 
|stats count as Total, sum(AMMOUNT) as TAmmount BY MERCHANT, SUBMERCHANT

I want to make a comparison by percentage between this month to the average of TOTAL three month ago. How do you go about using timewarp to archive that goal?

tread_splunk · ‎10-29-2021

You can adapt this. I don't have months of data on my laptop. So I've produced a chart with 2 lines. One line is the last minute of activity (count of events per second), the other line is the average activity based on the 4 minutes before that.

index=_internal sourcetype=splunkd component=Metrics earliest=-5min@min latest=@min
| timechart span=1s count
| eval latestMinute=if(_time>=relative_time(now(),"-1m@m"),"LatestMinute","Average"), sec=strftime(_time,"%S")
| chart avg(count) over sec by latestMinute

PickleRick · ‎10-28-2021

For timewrap you need results of timechart.

How do you use timewarp in specific?

stats

timechart

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

Are you a member of the Splunk Community?