Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to get results from last 1 week and last 3 week for the exact time frame of the search

achittela
Loves-to-Learn
‎07-13-2020 01:04 PM

I am new to Splunk, I am trying to get results in the below pattern. Any help is appreciated.

Lets say I am doing search for last 1 hour. I want to get only the results from last week and last 3 weeks and show the average of those.

For example I am doing search at 11 AM today for last 1 hour time frame. I want to get the results of  only 10 -11 AM every day of last 1 week and 10 - 11 AM of last 3 weeks. And show the average of those.

I tried earliest and latest time ranges also tried time chart with the search but not successful. 

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-13-2020 01:52 PM

Here's a run-anywhere example.

index=_internal kbps=* earliest=-3w 
`comment("Get the current hour and day-of-week")`
| eval hour=strftime(now(), "%H"), day=lower(strftime(now(), "%A")) 
`comment("Discard events that don't have the current hour and day")`
| where (date_hour=hour AND date_wday=day) 
| timechart cont=f avg(kbps)
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

achittela
Loves-to-Learn
‎07-13-2020 02:06 PM

Thanks for replying me back. I tied with the below query, it didn't worked for me.

index=test_logs source_category=testapp* status=400 earliest=-3w
| eval hour=strftime(now(), "%H"), day=lower(strftime(now(), "%A"))
| where (date_hour=hour AND date_wday=day)
| timechart cont=f avg(source_category)

I want to show the statistics something like below.

source_category1weekAvg3weekAvg
testapp1109
testapp21512
0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...