Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to compare day to same day for N weeks?

michaudel
Explorer
‎06-03-2013 01:01 PM

I got a question where someone is looking for the hits to a page, but only on Fridays between 6PM and 2 AM the following Saturday. I looked around a bit for a good way to do this and hadn't come up with anything so I thought I would ask.

The challenge here is the fact that we only care about Fridays during a certain time period.

I started with this:
earliest=@w5+18h latest=@w6+2h index=...

but the problem is this only gets me last Friday. I would like to pull every friday for the last "n" weeks.

So i wrote this and it works pretty well, but what I don't like is that splunk still searches every day, only to throw out all but a few days. Thought i would see if anyone had a better way to do this, thanks, Ethan

index=... ... | eval sdate = strftime(_time,"%a %d %B %Y - %H") | eval day = strftime(_time,"%a") | eval hour = strftime(_time,"%H") |search hour >= "18" OR hour = "00" OR hour = "01" AND day = "Fri" |stats count(hits) as HIT by sdate

Labels (1)
Labels
Reply
1 Solution
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎06-03-2013 01:09 PM

There is a much easier way to do this. It will not work for all types of data (the only example of which, AFAIK, are WinEventLogs). So most logfile types will work.

Splunk will automatically (for each event) create fields called date_hour, date_wday, date_minute etc, which can be used for this purpose, so;

sourcetype=blah (date_wday=friday date_hour>18) OR (date_wday=saturday date_hour<2) | ...

would find those events.

NB. These date_* fields will be created from the timestamp inside the event WITHOUT compensating for TZ.

/K

View solution in original post

Reply
Solved! Jump to solution

Lucas_K
Motivator
‎06-03-2013 11:20 PM

Once you have your data using a base search like Kristian's above you can use something like this ( http://splunk-base.splunk.com/answers/59045/how-do-i-make-a-multi-dimension-timechart ) to chart your comparisons.

Here is a good blog post also explaining how to display overlapping time frames ( http://blogs.splunk.com/2012/02/19/compare-two-time-ranges-in-one-report ).

Reply
Solved! Jump to solution

michaudel
Explorer
‎06-04-2013 01:08 PM

Thanks I checked it out, got to where i need from above, then started to work to make the overlapping time frames... thanks again

0 Karma
Reply
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎06-03-2013 01:09 PM

There is a much easier way to do this. It will not work for all types of data (the only example of which, AFAIK, are WinEventLogs). So most logfile types will work.

Splunk will automatically (for each event) create fields called date_hour, date_wday, date_minute etc, which can be used for this purpose, so;

sourcetype=blah (date_wday=friday date_hour>18) OR (date_wday=saturday date_hour<2) | ...

would find those events.

NB. These date_* fields will be created from the timestamp inside the event WITHOUT compensating for TZ.

/K

Reply
Solved! Jump to solution

sjbriggs
Path Finder
‎08-10-2023 07:57 AM

Thanks for this.  Sometimes we overthink solutions and fail to see the easiest one is right in front of us.  I spent all morning trying timewrap and a variety of datetime math solutions because all I wanted to do was compare the 11am hour of bytes per host every day of the week to troubleshoot a problem.  

Much appreciated 🙂

Tags (1)
0 Karma
Reply
Solved! Jump to solution

michaudel
Explorer
‎06-04-2013 01:07 PM

Thanks that worked perfectly

0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...