Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to create a week over week chart compariso...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to create a week over week chart comparison from current time
index=data du=
or
index=data du=
I am useing version 4.3.2, build 123586
I have been trying to figure out how to make a chart with the current day/time compared to one week ago same day and time.
I have left out the dozens of variations I've tried to spare other newbies like myself the frustration of working through them only to find they didn't work.
** I used "all" since the asterisk wasn't being displayed.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
An old thread, but Splunk has now a better way to do this, using Timewrap
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Timewrap
Try this:
index=_internal sourcetype=splunkd eps>0 earliest=-1mon latest=now
| timechart avg(eps) span=1h
| timewrap 1w
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How would you achieve the same results but on the same x axis? So that the X axis just had the day of the week -> mon,tues,weds
and then have numerous lines for this week and 1 week ago?
That would be a lot better.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Kallu, I was able to get my question answered. This worked for me:
index=_internal sourcetype=splunkd eps > 0 | addinfo
| eval date_wnum=strftime(_time, "%V")
| eval date_wnum_now=strftime(info_max_time, "%V")
| eval _time=_time+(date_wnum_now-date_wnum)*86400*7
| eval date_wnum=if(date_wnum==date_wnum_now,"This week",(date_wnum_now-date_wnum)." weeks ago")
| bin _time span=1h
| chart avg(eps) over _time by date_wnum
| makecontinuous _time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Something like this maybe, it doesn't take into account timezone changes, leap years etc.
index=_internal sourcetype=splunkd eps > 0 | addinfo
| eval date_wnum=strftime(_time, "%V")
| eval date_wnum_now=strftime(info_max_time, "%V")
| eval _time=_time+(date_wnum_now-date_wnum)*86400*7
| eval date_wnum=if(date_wnum==date_wnum_now,"This week",(date_wnum_now-date_wnum)." weeks ago")
| bin _time span=1h
| chart avg(eps) over _time by date_wnum
| makecontinuous _time
It works by shifting previous weeks data into this week, but tagging it as "X weeks ago"
I use chart instead of timechart because timechart would plot the entire date range in the search, but because everything is timeshifted, all the data would be crammed at the end of the chart.
You need | makecontinuous _time
So that the JSchart prints reasonable 'time' values, instead of XML stype time values.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Great, that looks like it works! Thanks a lot.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How does your data look? If you already have "du" -field in it I don't see any need for "multikv" -commands in your search. Also in your original example you were counting number of events by opp(?) but then you have changed it to be hourly average of du -field. Was this done on purpose? Does your search/charting work for today and week-ago if you run them separately?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
And it isn't showing up on a fancy chart like in the examples:
http://blogs.splunk.com/2012/02/19/compare-two-time-ranges-in-one-report/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Getting strange output and no legend stating "today" and "yesterday".
index=data du=* earliest=-0d@d latest=now | multikv | eval ReportKey="today" | append [search index="data" earliest=-7d@d latest=-6d@d | multikv | eval ReportKey="same day last week" | eval _time=_time+60*60*24*7] | timechart span=60m avg(du) by ReportKey
** 'du' values are different integers.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
