Splunk Search

How to overlay two graphs with different time ranges

OctoberP
Explorer

Would you know how can I display an overlay of two charts that have different time ranges on the X-axis?
For example, I would like to compare CPU utilization yesterday with the CPU utilization a week ago.

Is it possible to combine the results of two searches below into one chart?
  | mstats avg(cpu.pctIdle) AS cpu_idle_pct WHERE index=mymetrics host=myserver span=5min earliest=-2days latest=-1days | timechart min(cpu_idle_pct) span=1hour
  | mstats avg(cpu.pctIdle) AS cpu_idle_pct WHERE index=mymetrics host=myserver span=5min earliest=-9days latest=-8days | timechart min(cpu_idle_pct) span=1hour

Thanks !

Labels (1)
0 Karma
1 Solution

eddieddieddie
Path Finder

Hi OctoberP

As suggested the timewrap command should help. The trick here is just showing the two days you're interesting in and not everthing else inbetween (otherwise when it's graphed you have a long empty stretch).

I came up with the following which gets the data for the complete time period where the two days you're interested in overlap, and then time wraps it by a week ('w') so that the two days will overlap when plotted on a graph. The results are then cropped by the where command on the last line to just show the day you're interested in.

| mstats avg(Processor.%_Processor_Time) AS CPUUsage WHERE index=mymetrics host=myserver span=5min earliest=-9days@d latest=-1days@d
| timechart span=1h avg(CPUUsage) AS "CPUUsage"
| timewrap w
| where strftime(_time, "%A") == strftime( relative_time(now(), "-2days@d") ,"%A" )

 

View solution in original post

OctoberP
Explorer

Thank you! The approach with 'timewrap' command worked perfectly for me.

0 Karma

eddieddieddie
Path Finder

Hi OctoberP

As suggested the timewrap command should help. The trick here is just showing the two days you're interesting in and not everthing else inbetween (otherwise when it's graphed you have a long empty stretch).

I came up with the following which gets the data for the complete time period where the two days you're interested in overlap, and then time wraps it by a week ('w') so that the two days will overlap when plotted on a graph. The results are then cropped by the where command on the last line to just show the day you're interested in.

| mstats avg(Processor.%_Processor_Time) AS CPUUsage WHERE index=mymetrics host=myserver span=5min earliest=-9days@d latest=-1days@d
| timechart span=1h avg(CPUUsage) AS "CPUUsage"
| timewrap w
| where strftime(_time, "%A") == strftime( relative_time(now(), "-2days@d") ,"%A" )

 

OctoberP
Explorer

Thank you! The approach with 'timewrap' command worked perfectly for me.

Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Calculate the hour from the _time variable and use that as your common x-axis

nyc_jason
Splunk Employee
Splunk Employee

Hello, please have a look at the timewrap command. https://docs.splunk.com/Documentation/Splunk/8.2.1/SearchReference/Timewrap?ref=hk

This may be what youre looking for.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...