Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a timechart search to compare the count for the previous 24 hour period from the current time, not day by day?

chrisduimstra
Path Finder
‎06-20-2016 12:35 PM

I am trying to create a search to show the previous 24 hour count using timechart so I can show the previous 24 hours with a trend on the single value in a dashboard. This dashboard will be used in real-time, so I am looking for previous 24h from the current time, not day by day. I have the following search.

(search) earliest=-48h | timechart span=24h count

I have determined the results are from the previous 48 hours, but the results are not grouped correctly. I'm looking for 2 results, now-24h and 24h-48h. The groups are split over 5pm, no matter what time the search is ran.

_time               count
2016-06-17 17:00    12
2016-06-18 17:00    71
2016-06-19 17:00    55
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎06-20-2016 12:47 PM

Try this

... earliest=-48h | eval when=if(_time>relative_time(now(), "-24h"), "Now", "Prev") | stats count by when

View solution in original post

Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎06-20-2016 12:47 PM

Try this

... earliest=-48h | eval when=if(_time>relative_time(now(), "-24h"), "Now", "Prev") | stats count by when
Reply
Solved! Jump to solution

chrisduimstra
Path Finder
‎06-20-2016 01:32 PM

This appears to be working, thank you.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...