Splunk Search

How to create a timechart search to compare the count for the previous 24 hour period from the current time, not day by day?

chrisduimstra
Path Finder

I am trying to create a search to show the previous 24 hour count using timechart so I can show the previous 24 hours with a trend on the single value in a dashboard. This dashboard will be used in real-time, so I am looking for previous 24h from the current time, not day by day. I have the following search.

(search) earliest=-48h | timechart span=24h count

I have determined the results are from the previous 48 hours, but the results are not grouped correctly. I'm looking for 2 results, now-24h and 24h-48h. The groups are split over 5pm, no matter what time the search is ran.

_time               count
2016-06-17 17:00    12
2016-06-18 17:00    71
2016-06-19 17:00    55
0 Karma
1 Solution

sundareshr
Legend

Try this

... earliest=-48h | eval when=if(_time>relative_time(now(), "-24h"), "Now", "Prev") | stats count by when

View solution in original post

sundareshr
Legend

Try this

... earliest=-48h | eval when=if(_time>relative_time(now(), "-24h"), "Now", "Prev") | stats count by when

chrisduimstra
Path Finder

This appears to be working, thank you.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...