index=”xxxx” sourcetype=”xxx” earliest=-0d@d latest=now | eval ReportKey=”today” | append [search index=”xxxx” sourcetype=”xxx” earliest=-1d@d latest=-0d@d | eval ReportKey=”Yesterday" | eval _time=_time+60*60*24] | timechart span=1h avg(abcsdf) by ReportKey
There are a couple of ways to do this. First, consider downloading the free timewrap app from Splunkbase. It is designed to help with exactly this type of search.
You can also do this:
source="dbmon-dump://Order_Rates/Order_Rates_Total" earliest=-48h | eval Day=if (_time<relative_time(now(),"-24h"), "Yesterday", "Today") | eval time=if(Day=="Today",_time,_time+86400) | chart sum(NumOfOrders) as NumberOfOrders by time Day | eval time=strftime(time,"%X")
For each event, the second line determines if the event occurred within the last 24 hours, and labels it appropriately with the Day field. Note that now() refers to the time that the search started. Also note that time is recomputed - since you want the two lines to overlap, this is necessary to make the chart look right.
I changed from the
values function to the
sum function - it will probably not make any difference, but if you had a time period with no data or duplicate data, I am not sure that
values will do what you want.
Also, another resource:
In the blog article, the
append command is used, but that complication is not necessary here. Use the
append technique if you are comparing results from two entirely different searches. But the technique I show here will usually be faster and appropriate for larger data sets as well.
Try like this
source="dbmon-dump://Order_Rates/Order_Rates_Total" earliest=-1d@d | stats values(NumOfOrders) as NumberOfOrders by _time | eval Day=if(_time<relative_time(now(),"@d"),"Yesterday","Today") | eval _time=if(_time<relative_time(now(),"@d"),_time+86400,_time) | xyseries _time Day NumberOfOrders