Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to modify my search to graph the same 30 minute time period for previous weeks on the same graph?

tmurray3
Path Finder
‎12-13-2016 07:16 AM

I have a search to graph the last 30 minutes in 5 minute intervals:

index=web_summary report="volumebyminuteweb" earliest=-30m@m latest=now | bucket _time span=5m|stats count by _time |timechart span=5m sum(count)

I would like to also graph the same time period for the previous 7, 14, 21, and 28 days on the same graph.

How would I modify the query to include the additional time periods?

Thanks in advance for your assistance.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

twinspop
Influencer
‎12-13-2016 07:25 AM

Appendcols is what you want. You don't need the bucket and stats commands, just timechart:

index=web_summary report="volumebyminuteweb" earliest=-30m@m latest=@m |timechart span=5m count as Today | 
appendcols [ 
    search index=web_summary report="volumebyminuteweb" earliest=-30m@m-1w latest=@m-1w |timechart span=5m count as "1 week ago" ] |
appendcols [ 
    search index=web_summary report="volumebyminuteweb" earliest=-30m@m-2w latest=@m-2w |timechart span=5m count as "2 weeks ago" ] | 
appendcols [
    search index=web_summary report="volumebyminuteweb" earliest=-30m@m-3w latest=@m-3w |timechart span=5m count as "3 weeks ago" ]

View solution in original post

Reply
Solved! Jump to solution
Solution

twinspop
Influencer
‎12-13-2016 07:25 AM

Appendcols is what you want. You don't need the bucket and stats commands, just timechart:

index=web_summary report="volumebyminuteweb" earliest=-30m@m latest=@m |timechart span=5m count as Today | 
appendcols [ 
    search index=web_summary report="volumebyminuteweb" earliest=-30m@m-1w latest=@m-1w |timechart span=5m count as "1 week ago" ] |
appendcols [ 
    search index=web_summary report="volumebyminuteweb" earliest=-30m@m-2w latest=@m-2w |timechart span=5m count as "2 weeks ago" ] | 
appendcols [
    search index=web_summary report="volumebyminuteweb" earliest=-30m@m-3w latest=@m-3w |timechart span=5m count as "3 weeks ago" ]
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...