Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to compare two time same time frames with different day's.

rchams
Explorer
‎06-12-2020 10:51 AM

How to compare the average value of the field in two different time frames i.e same time today with same time yesterday.

Compare the today time frame with yesterday's time frame.

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-12-2020 11:16 AM
Depending on your query, you may be able to use the timewrap command.
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

rchams
Explorer
‎06-12-2020 01:19 PM

If i use timewrap it gives the total day average like yesterday total average comparing with today time frame(example like last 60mins). I'm looking for the search to compare the average value in the same time frame like 1 pm to 1.30 pm today with 1 pm to 1.30 pm yesterday. 

 

my search is :

index=XXXX sourcetype=XXXXX esb_service="XXXXXX"  esb_environment=prod esb_event=esbRespBE 
| eval esb_backend_time=round(esb_backend_time/1000,2)
| bin _time span=15m
| stats max(esb_backend_time) as response_time by esb_service,_time
| eval response_time = round(response_time,2)

 

0 Karma
Reply

to4kawa
Ultra Champion
‎06-12-2020 02:17 PM

index=XXXX sourcetype=XXXXX esb_service="XXXXXX"  esb_environment=prod esb_event=esbRespBE 
| eval esb_backend_time=round(esb_backend_time/1000,2)
| bin _time span=15m
| stats max(esb_backend_time) as response_time by esb_service,_time
| eval response_time = round(response_time,2)

| eval date=if(strftime(now(),"%F")=strftime(_time,"%F"),"today","yesterday")

| eval _time=strftime(_time,"%T")

| xyseries _time date response_time

 

0 Karma
Reply

rchams
Explorer
‎06-15-2020 07:02 AM

@to4kawa  @Hi Thanks for the query.

It's comparing total day, i'm looking for specific time frame today with yesterday. The query which you provided gives the today all day time frame comparison with yesterday all day comparison, if i'm looking 1 hr window for today need to compare with same 1 hr time frame yesterday only. Only those results needs to be displayed. 

0 Karma
Reply

to4kawa
Ultra Champion
‎06-15-2020 02:14 PM

I didn't see any such requirement from the first question and your query.

and your query is span=15min

for 1 hour comparison, How are you going to aggregate 4 values?

Please summarize what you want to do before you ask the question again and again.

0 Karma
Reply

rchams
Explorer
‎06-16-2020 07:06 PM

@to4kawa 

I want to compare the average response time value in 1 hr for span=15 mins to same 1 hr time in yesterday (like 4 aggregate values). 

example i want to compare the average response time for the period 06/15/2020 3 PM to 4 PM with  06/16/2020 3 PM to 4 PM . Only 4 aggregate comparison values should be appear as my results. 
average value comparison 

Looking for results like below

timeframe          today-value     yesterday-value

15.15.00               00000                 00000

15.30.00               44444                 44444

15.45.00               11111                  11111

16.00.00                22222                  22222

0 Karma
Reply

to4kawa
Ultra Champion
‎06-17-2020 02:32 AM

please modify my query.

the result contains what you want.

 

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...