Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to compare results of same search for two different time ranges without using timechart?

ashbhaic
Explorer
‎12-19-2014 08:13 AM

I have logs which tell me the service name, time and domain name where this service was called.

I have a query to chart the number of services that were invoked for each domain (channel) as below :

index=realtimelogs earliest=-15m@m | chart count(SERVICE) AS "No. of Services Invoked" by channel

It results in below :

 channel      No. of Services Invoked
    TSYS      1234
Fidelity      2345

I am looking for a single query that can pull the count in two different time intervals so that I can compare the count by channel in those two time ranges. (I am looking for a way to add a new column to the existing result which lists data from a different time range.

I am not looking for plotting the results against time. I just need a side by side comparison.

Reply
1 Solution
Solved! Jump to solution
Solution

ashbhaic
Explorer
‎12-19-2014 08:30 AM

Ok .. so i figured out a way to do this ...
All answers point to use of append but were plotting the data on a timechart. My need is to plot the number of services that were invoked against the channel where they were invoked and do a comparision side by side and append was way too slow.
Below is what I used and gives me exactly what I am looking for :

|multisearch [search index=realtimelogs earliest=-15m@m | eval id="15m back"] [search index=realtimelogs earliest=-30m@m latest=-15m@m | eval id="30m back"] | chart count(SERVICE) by channel id

It plots as a Bar chart (sadly I dont have enought points to post pic here 😞 ) with two bars each channel showing the count of services that were invoked between now-15m back and 15m-30m back.

View solution in original post

Reply
Solved! Jump to solution
Solution

ashbhaic
Explorer
‎12-19-2014 08:30 AM

Ok .. so i figured out a way to do this ...
All answers point to use of append but were plotting the data on a timechart. My need is to plot the number of services that were invoked against the channel where they were invoked and do a comparision side by side and append was way too slow.
Below is what I used and gives me exactly what I am looking for :

|multisearch [search index=realtimelogs earliest=-15m@m | eval id="15m back"] [search index=realtimelogs earliest=-30m@m latest=-15m@m | eval id="30m back"] | chart count(SERVICE) by channel id

It plots as a Bar chart (sadly I dont have enought points to post pic here 😞 ) with two bars each channel showing the count of services that were invoked between now-15m back and 15m-30m back.

Reply
Solved! Jump to solution

Richfez
SplunkTrust
SplunkTrust
‎12-05-2015 07:41 PM

Another way to handle this could be:

index=realtimelogs earliest=-30m@m | bin _time bins=2 | stats count by _time, channel | xyseries _time, channel, count

You can change around the order of the parameters of the xyseries to change what's plotted against what, and bin has more options, like span=15m, log spans and all sorts of other things.

Just another option for people who stumble across this question in the future.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...