Splunk Search

How to overlay two graphs with different time ranges

OctoberP
Explorer

Would you know how can I display an overlay of two charts that have different time ranges on the X-axis?
For example, I would like to compare CPU utilization yesterday with the CPU utilization a week ago.

Is it possible to combine the results of two searches below into one chart?
  | mstats avg(cpu.pctIdle) AS cpu_idle_pct WHERE index=mymetrics host=myserver span=5min earliest=-2days latest=-1days | timechart min(cpu_idle_pct) span=1hour
  | mstats avg(cpu.pctIdle) AS cpu_idle_pct WHERE index=mymetrics host=myserver span=5min earliest=-9days latest=-8days | timechart min(cpu_idle_pct) span=1hour

Thanks !

Labels (1)
0 Karma
1 Solution

eddieddieddie
Path Finder

Hi OctoberP

As suggested the timewrap command should help. The trick here is just showing the two days you're interesting in and not everthing else inbetween (otherwise when it's graphed you have a long empty stretch).

I came up with the following which gets the data for the complete time period where the two days you're interested in overlap, and then time wraps it by a week ('w') so that the two days will overlap when plotted on a graph. The results are then cropped by the where command on the last line to just show the day you're interested in.

| mstats avg(Processor.%_Processor_Time) AS CPUUsage WHERE index=mymetrics host=myserver span=5min earliest=-9days@d latest=-1days@d
| timechart span=1h avg(CPUUsage) AS "CPUUsage"
| timewrap w
| where strftime(_time, "%A") == strftime( relative_time(now(), "-2days@d") ,"%A" )

 

View solution in original post

OctoberP
Explorer

Thank you! The approach with 'timewrap' command worked perfectly for me.

0 Karma

eddieddieddie
Path Finder

Hi OctoberP

As suggested the timewrap command should help. The trick here is just showing the two days you're interesting in and not everthing else inbetween (otherwise when it's graphed you have a long empty stretch).

I came up with the following which gets the data for the complete time period where the two days you're interested in overlap, and then time wraps it by a week ('w') so that the two days will overlap when plotted on a graph. The results are then cropped by the where command on the last line to just show the day you're interested in.

| mstats avg(Processor.%_Processor_Time) AS CPUUsage WHERE index=mymetrics host=myserver span=5min earliest=-9days@d latest=-1days@d
| timechart span=1h avg(CPUUsage) AS "CPUUsage"
| timewrap w
| where strftime(_time, "%A") == strftime( relative_time(now(), "-2days@d") ,"%A" )

 

OctoberP
Explorer

Thank you! The approach with 'timewrap' command worked perfectly for me.

Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Calculate the hour from the _time variable and use that as your common x-axis

nyc_jason
Splunk Employee
Splunk Employee

Hello, please have a look at the timewrap command. https://docs.splunk.com/Documentation/Splunk/8.2.1/SearchReference/Timewrap?ref=hk

This may be what youre looking for.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...