Splunk Search

How to display a single value trend from 2 different relative time?

jip31
Motivator

Hi

I would like to dis play a trend indicator between these 2 different relative time

Is it possible?

 

 

index=toto sourcetype=tutu earliest=-8d@d+7h latest=-8d@d+19h OR  earliest=@d+7h latest=@d+19h 
| timechart count as "erreurs" span=1d

 

 

Thanks

Labels (1)
0 Karma

bowesmana
SplunkTrust
SplunkTrust

They are the same time ranges..

The timewrap command may be what you are after, e.g.

| timechart count as "erreurs" span=1d
| timewrap 1d

 

0 Karma

jip31
Motivator

If I do this I have a result for the current day and a value on the last 7 days so the trend works

 

index=toto
| search cit > 10000
| timechart count span=7d

 

but what I need is to use the relative time for the current day and the relative time not on the last 7 days but for the day corresponding at day - 7 

is it possible to do this?

 

earliest=-8d@d+7h latest=-8d@d+19h OR  earliest=@d+7h latest=@d+19h 

 

 

 

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Doesn't the timewrap give you what you need?

index=_audit (earliest=-8d@d+7h latest=-8d@d+19h) OR  (earliest=-d@d+7h latest=-d@d+19h)
| timechart fixedrange=f span=1h count
| timewrap 1d
| fields _time 7days_before latest_day
| addtotals
| where Total>0
| fields - Total
Tags (1)
0 Karma

jip31
Motivator

sorry it's not my need

with a table panel, I can see the result of the latest day and the result for 7 days before

But what I ned is ti display a single panel trend indicator and it doenst works with your example

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Do you mean either of these?

bowesmana_0-1647497369664.png

bowesmana_1-1647497546811.png

 

Your existing search will do the second one - just format the visualisation and show the trend as 7 days before

bowesmana_2-1647497604761.png

or add the final line to the query

| where count>0

and leave the trend as default and you get the first view?

If this is not what you want, can you expand on exactly what you want to see

 

Tags (1)
0 Karma
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Access to Splunk Observability Kubernetes “Classic Navigator” UI will no longer be available starting January ...

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...