How to compare two time same time frames with diff...

rchams · ‎06-12-2020

How to compare the average value of the field in two different time frames i.e same time today with same time yesterday.

Compare the today time frame with yesterday's time frame.

richgalloway · ‎06-12-2020

Depending on your query, you may be able to use the timewrap command.

---
If this reply helps you, Karma would be appreciated.

rchams · ‎06-12-2020

If i use timewrap it gives the total day average like yesterday total average comparing with today time frame(example like last 60mins). I'm looking for the search to compare the average value in the same time frame like 1 pm to 1.30 pm today with 1 pm to 1.30 pm yesterday.

my search is :

index=XXXX sourcetype=XXXXX esb_service="XXXXXX" esb_environment=prod esb_event=esbRespBE
| eval esb_backend_time=round(esb_backend_time/1000,2)
| bin _time span=15m
| stats max(esb_backend_time) as response_time by esb_service,_time
| eval response_time = round(response_time,2)

to4kawa · ‎06-12-2020

index=XXXX sourcetype=XXXXX esb_service="XXXXXX" esb_environment=prod esb_event=esbRespBE
| eval esb_backend_time=round(esb_backend_time/1000,2)
| bin _time span=15m
| stats max(esb_backend_time) as response_time by esb_service,_time
| eval response_time = round(response_time,2)

| eval date=if(strftime(now(),"%F")=strftime(_time,"%F"),"today","yesterday")

| eval _time=strftime(_time,"%T")

| xyseries _time date response_time

rchams · ‎06-15-2020

@to4kawa @Hi Thanks for the query.

It's comparing total day, i'm looking for specific time frame today with yesterday. The query which you provided gives the today all day time frame comparison with yesterday all day comparison, if i'm looking 1 hr window for today need to compare with same 1 hr time frame yesterday only. Only those results needs to be displayed.

to4kawa · ‎06-15-2020

I didn't see any such requirement from the first question and your query.

and your query is span=15min

for 1 hour comparison, How are you going to aggregate 4 values?

Please summarize what you want to do before you ask the question again and again.

rchams · ‎06-16-2020

@to4kawa

I want to compare the average response time value in 1 hr for span=15 mins to same 1 hr time in yesterday (like 4 aggregate values).

example i want to compare the average response time for the period 06/15/2020 3 PM to 4 PM with 06/16/2020 3 PM to 4 PM . Only 4 aggregate comparison values should be appear as my results.
average value comparison

Looking for results like below

timeframe today-value yesterday-value

15.15.00 00000 00000

15.30.00 44444 44444

15.45.00 11111 11111

16.00.00 22222 22222

to4kawa · ‎06-17-2020

please modify my query.

the result contains what you want.

How to compare two time same time frames with different day's.

subsearch

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation