Splunk Search

How to achieve multiple time ranges in a single report/view?

angadbagga
Explorer

Here is my query. In final line chart when I hover, I am not getting different dates.  Rather only 26th Sept (Today's date). (I want to have today, last week same day, 2 weeks back same day & 3 week back same day in the same visualization)

 

index=xyz sourctype=abc earliest = -60m@m latest = @m
|eval ReportKey="Today"
|append
[search index=index=xyz sourctype=abc earliest = -60m@m-1w latest = @m-1w
|eval ReportKey="LastWeek" | eval _time=_time+60*60*24*7]
|append
[search index=index=xyz sourctype=abc earliest = -60m@m-2w latest = @m-2w
|eval ReportKey="TwoWeeksBefore" | eval _time=_time+60*60*24*14]
|append [search index=index=xyz sourctype=abc earliest = -60m@m-3w latest = @m-3w
|eval ReportKey="ThreeWeeksBefore" | eval _time=_time+60*60*24*21]
|timechart span = 1m count(index) as Volume by Reportkey

 

 

Labels (3)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Only today's date is being shown because _time is adjusted to the current date in each subsearch.  You can avoid showing the date and show only the time using fieldformat.

index=xyz sourctype=abc earliest = -60m@m latest = @m
|eval ReportKey="Today"
|append
[search index=index=xyz sourctype=abc earliest = -60m@m-1w latest = @m-1w
|eval ReportKey="LastWeek" | eval _time=relative_time(_time, "+1w")]
|append
[search index=index=xyz sourctype=abc earliest = -60m@m-2w latest = @m-2w
|eval ReportKey="TwoWeeksBefore" | eval _time=relative_time(_time, "+2w")]
|append [search index=index=xyz sourctype=abc earliest = -60m@m-3w latest = @m-3w
|eval ReportKey="ThreeWeeksBefore" | eval _time=relative_time(_time, "+3w")]
|timechart span = 1m count(index) as Volume by Reportkey
|fieldformat _time=strftime(_time, "%H:%M:%S")
---
If this reply helps you, Karma would be appreciated.
0 Karma

angadbagga
Explorer

THough i see the statistics with only hrs:min:sec in _time and 04 columns(Lastweek, threeWeeksbefore, Today and Twoweekbefore) but I can't see Line chart as visualization now. 😞

I wanted a line chart with _time in x axis and rest all in y axis

0 Karma

angadbagga
Explorer

As we have strategically removed the day - Any visualization with _time is x axis is no longer showing

0 Karma

angadbagga
Explorer

@richgalloway : What should be the next step to see visualization. As with only hrs, min and sec there is no graph/chart possible

0 Karma

richgalloway
SplunkTrust
SplunkTrust

You have a choice to make.  If you wish to see a visualization then the full timestamp must be present and you will see today's date.  If you do not wish to see today's date then it can be removed, but then you will not see a visualization.

---
If this reply helps you, Karma would be appreciated.
0 Karma

angadbagga
Explorer

Can i remove the date part from XML in visualization. (I want to have visualization as well as don't want to see the date while i hover on it)
I want to see the value while I hover but not the date

0 Karma

andrew_nelson
Communicator

The reason you're only getting Sept 26th is because you're rewriting the timestamp in each appended search and setting them to today's date. The timewrap function is what you need. Try this :

index=xyz sourctype=abc earliest = -60m@m latest = @m
|append [search index=index=xyz sourctype=abc earliest=-60m@m-1w latest=@m-1w]
|append [search index=index=xyz sourctype=abc earliest=-60m@m-2w latest=@m-2w]
|append [search index=index=xyz sourctype=abc earliest=-60m@m-3w latest=@m-3w]
|timechart span = 1m count(index) as Volume
|timewrap w
0 Karma

angadbagga
Explorer

This is still giving the same _time with today's date and time in stats. 🙂

0 Karma

andrew_nelson
Communicator

You said your end goal was "I want to have today, last week same day, 2 weeks back same day & 3 week back same day in the same visualization"

Is it necessary to have _time accurate ? The search I provided automatically tags them as latest_week, 1week_before, 2weeks_before and 3weeks_before.

 

andrew_nelson_0-1664272072149.png

 

If you want _time accurate, then you can remove the timewrap command and you'll get them all on the one graph, but its not gonna be that useful since you're looking at 1 hour per week which means 167 hours are empty.

andrew_nelson_1-1664272311999.png

 

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...