- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to overlay two graphs with different time ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Would you know how can I display an overlay of two charts that have different time ranges on the X-axis?
For example, I would like to compare CPU utilization yesterday with the CPU utilization a week ago.
Is it possible to combine the results of two searches below into one chart?
| mstats avg(cpu.pctIdle) AS cpu_idle_pct WHERE index=mymetrics host=myserver span=5min earliest=-2days latest=-1days | timechart min(cpu_idle_pct) span=1hour
| mstats avg(cpu.pctIdle) AS cpu_idle_pct WHERE index=mymetrics host=myserver span=5min earliest=-9days latest=-8days | timechart min(cpu_idle_pct) span=1hour
Thanks !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi OctoberP
As suggested the timewrap command should help. The trick here is just showing the two days you're interesting in and not everthing else inbetween (otherwise when it's graphed you have a long empty stretch).
I came up with the following which gets the data for the complete time period where the two days you're interested in overlap, and then time wraps it by a week ('w') so that the two days will overlap when plotted on a graph. The results are then cropped by the where command on the last line to just show the day you're interested in.
| mstats avg(Processor.%_Processor_Time) AS CPUUsage WHERE index=mymetrics host=myserver span=5min earliest=-9days@d latest=-1days@d
| timechart span=1h avg(CPUUsage) AS "CPUUsage"
| timewrap w
| where strftime(_time, "%A") == strftime( relative_time(now(), "-2days@d") ,"%A" )
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you! The approach with 'timewrap' command worked perfectly for me.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi OctoberP
As suggested the timewrap command should help. The trick here is just showing the two days you're interesting in and not everthing else inbetween (otherwise when it's graphed you have a long empty stretch).
I came up with the following which gets the data for the complete time period where the two days you're interested in overlap, and then time wraps it by a week ('w') so that the two days will overlap when plotted on a graph. The results are then cropped by the where command on the last line to just show the day you're interested in.
| mstats avg(Processor.%_Processor_Time) AS CPUUsage WHERE index=mymetrics host=myserver span=5min earliest=-9days@d latest=-1days@d
| timechart span=1h avg(CPUUsage) AS "CPUUsage"
| timewrap w
| where strftime(_time, "%A") == strftime( relative_time(now(), "-2days@d") ,"%A" )
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Calculate the hour from the _time variable and use that as your common x-axis
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, please have a look at the timewrap command. https://docs.splunk.com/Documentation/Splunk/8.2.1/SearchReference/Timewrap?ref=hk
This may be what youre looking for.
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
