Splunk Search

How to overlay two graphs with different time ranges

OctoberP
Explorer

Would you know how can I display an overlay of two charts that have different time ranges on the X-axis?
For example, I would like to compare CPU utilization yesterday with the CPU utilization a week ago.

Is it possible to combine the results of two searches below into one chart?
  | mstats avg(cpu.pctIdle) AS cpu_idle_pct WHERE index=mymetrics host=myserver span=5min earliest=-2days latest=-1days | timechart min(cpu_idle_pct) span=1hour
  | mstats avg(cpu.pctIdle) AS cpu_idle_pct WHERE index=mymetrics host=myserver span=5min earliest=-9days latest=-8days | timechart min(cpu_idle_pct) span=1hour

Thanks !

Labels (1)
0 Karma
1 Solution

eddieddieddie
Path Finder

Hi OctoberP

As suggested the timewrap command should help. The trick here is just showing the two days you're interesting in and not everthing else inbetween (otherwise when it's graphed you have a long empty stretch).

I came up with the following which gets the data for the complete time period where the two days you're interested in overlap, and then time wraps it by a week ('w') so that the two days will overlap when plotted on a graph. The results are then cropped by the where command on the last line to just show the day you're interested in.

| mstats avg(Processor.%_Processor_Time) AS CPUUsage WHERE index=mymetrics host=myserver span=5min earliest=-9days@d latest=-1days@d
| timechart span=1h avg(CPUUsage) AS "CPUUsage"
| timewrap w
| where strftime(_time, "%A") == strftime( relative_time(now(), "-2days@d") ,"%A" )

 

View solution in original post

OctoberP
Explorer

Thank you! The approach with 'timewrap' command worked perfectly for me.

0 Karma

eddieddieddie
Path Finder

Hi OctoberP

As suggested the timewrap command should help. The trick here is just showing the two days you're interesting in and not everthing else inbetween (otherwise when it's graphed you have a long empty stretch).

I came up with the following which gets the data for the complete time period where the two days you're interested in overlap, and then time wraps it by a week ('w') so that the two days will overlap when plotted on a graph. The results are then cropped by the where command on the last line to just show the day you're interested in.

| mstats avg(Processor.%_Processor_Time) AS CPUUsage WHERE index=mymetrics host=myserver span=5min earliest=-9days@d latest=-1days@d
| timechart span=1h avg(CPUUsage) AS "CPUUsage"
| timewrap w
| where strftime(_time, "%A") == strftime( relative_time(now(), "-2days@d") ,"%A" )

 

View solution in original post

OctoberP
Explorer

Thank you! The approach with 'timewrap' command worked perfectly for me.

Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Calculate the hour from the _time variable and use that as your common x-axis

jschogel_splunk
Splunk Employee
Splunk Employee

Hello, please have a look at the timewrap command. https://docs.splunk.com/Documentation/Splunk/8.2.1/SearchReference/Timewrap?ref=hk

This may be what youre looking for.

Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!