Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to display comparison between previous week with current week in Single Value with trendline

sangs8788
Communicator
‎08-20-2018 11:05 PM

Hi,

I have a query which should ideally give me results for the Last week and the current week Request count.

index=data earliest=-1w@w latest=now | eval Latency=case(walltime<500, "0-0.5s", walltime>=500 AND walltime<1000, "0.5s-1s",walltime>=1000 AND walltime<3000, "1s-3s", walltime>=3000 AND walltime<6000, "3s-6s",walltime>=4000 AND walltime<10000, "6s-10s",walltime>=10000 AND walltime<30000, "10s-30s", walltime>=30000, ">=30s")| timechart span=1w count  as RequestCount by Latency

When represented in a single value, it should result me single value of current week along with trendline compared with previous week. But the above query results for both previous week & latest week not the recent 3 days in current week, which is wrong. Here is the preview of the result

alt text

How do i represent only the current week's result value alone displayed compared with previous week to show how much in percent less/more the count is ?

Also is it possible to schedule this as a search and have it indexed in summary index. For example, Say every week, i run a query to get that week's result in the name "Previous_week", how do i compare with current week result with the summarized result under the source "Previous_week" ?

Tags (1)
Preview file
1 KB
0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎08-21-2018 01:13 PM

You should use relative_time to accomplish this. Your fist eval will calculate the transactions from the previous week and the next eval will calculate the trx from this week. You can then easily calculate this historical loss

0 Karma
Reply

DalJeanis
Legend
‎08-21-2018 01:09 PM

Please show what kind of result you are looking to achieve.

single value, trendline, and "compared with prior week" don't all go together in my head, for some reason. I can't picture what you might mean.

0 Karma
Reply

sangs8788
Communicator
‎08-20-2018 11:44 PM

ok looks like the result is correct, it is just that it displays the _time as start date of the week. It is working.

But could someone tell me how i can get the data indexed for previous week, and compare it with current week ? I am not sure how i have to index.

Should i use Stats command to index the previous week data ? Or do a timechart and index previous week data ? how do i compare with current weeks data. Its bit confusing for me. appreciate if someone could help me on this.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...