Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to compare the results of 2 single panel between 2 different dates?

jip31
Motivator
‎04-27-2022 03:32 AM

Hi

I need to compare the results of 2 single panel between 2 different dates

The first single panel concerns the results of the current day in the last 15 minutes and consists in a basic count

 

| stats dc(s)

 

In the second single panel, I need to do the same count but for one week before but also in the last 15 minutes compared to the current time

Is it possible to do such a thing?

Thanks

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎04-27-2022 11:46 PM

I showed you some techniques you can use to get results from two separate timeframes. It's up to you to stitch them together into some reasonable search 🙂

There are also some factors affecting how you'd approach to such result (for example - time alignment) so it's not that easy to give a copy-paste solution. And you might end up needing to append two separate searches to each other.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎04-27-2022 05:06 AM

You can use eval in stats to get only a subset of the events to summarize.

Run anywhere example that generates 100 random numbers in range 0-99 - one for each "second ago" and counts how many different values were present more than 30 seconds ago and less that 15 seconds ago

| makeresults count=100 
| eval myval=random() % 100
| streamstats count
| eval _time=now()-count
| eventstats dc(eval(if(_time<now()-30,myval,null()))) as before_30 dc(eval(if(_time>now()-15,myval,null()))) as after_15

Here I use eventstats so you see the original data and can verify but of course you can use stats the same way.

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎04-27-2022 07:40 AM

thanks but it's not exactly my need

here is what I done 

with this, I retrieve the s count one week ago for every 15 minutes

`tutu` sourcetype="session" earliest=-7d@d+7h latest=-7d@d+19h  
| bin _time span=15m 
| eval time=strftime(_time,"%H:%M") 
| stats dc(s) by time

 now it miss something

I need to compare the current time with the time corresponding in my search and to display the result

have you an idea please?

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎04-27-2022 03:02 PM

That was just one of the ideas you could use to make your own solution. Remember that you can use alternative of several different timespans.

For example:

index=winevents (earliest=-7d@d latest=-7d@d+2h) OR (earliest=-6d@d latest=-6d@d+2h)
| timechart span=15m dc(EventID) as dc
| where dc>0

Will give me count of unique EventIDs in each 15 minute long span but only during two separate two hours long windows.

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎04-27-2022 09:32 PM

thanks

but my exact need is to be able to compare the current time with the timechart _time in order to display only the result corresponding to the current time

So I need something like this :

| eval currenttime=strftime(now(), "%d/%m/%Y %H:%M")

| eval pasttime=strftime(_time, "%d/%m/%Y %H:%M")

| eval pastcurrent=if(pasttime=currenttime, count, "")

| table count

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎04-27-2022 09:38 PM

Sorry, but that doesn't make much sense. You can't calculate stats from a week ago and compare them to a current timestamp (ok, technically you can but it's pointless). These are two different things.

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎04-27-2022 09:44 PM

sorry but your search doesnt do the job i need because there is no matching with the current time

0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎04-27-2022 11:46 PM

I showed you some techniques you can use to get results from two separate timeframes. It's up to you to stitch them together into some reasonable search 🙂

There are also some factors affecting how you'd approach to such result (for example - time alignment) so it's not that easy to give a copy-paste solution. And you might end up needing to append two separate searches to each other.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...