Splunk Search

How to overlay two graphs with different time ranges

OctoberP
Explorer

Would you know how can I display an overlay of two charts that have different time ranges on the X-axis?
For example, I would like to compare CPU utilization yesterday with the CPU utilization a week ago.

Is it possible to combine the results of two searches below into one chart?
  | mstats avg(cpu.pctIdle) AS cpu_idle_pct WHERE index=mymetrics host=myserver span=5min earliest=-2days latest=-1days | timechart min(cpu_idle_pct) span=1hour
  | mstats avg(cpu.pctIdle) AS cpu_idle_pct WHERE index=mymetrics host=myserver span=5min earliest=-9days latest=-8days | timechart min(cpu_idle_pct) span=1hour

Thanks !

Labels (1)
0 Karma
1 Solution

eddieddieddie
Path Finder

Hi OctoberP

As suggested the timewrap command should help. The trick here is just showing the two days you're interesting in and not everthing else inbetween (otherwise when it's graphed you have a long empty stretch).

I came up with the following which gets the data for the complete time period where the two days you're interested in overlap, and then time wraps it by a week ('w') so that the two days will overlap when plotted on a graph. The results are then cropped by the where command on the last line to just show the day you're interested in.

| mstats avg(Processor.%_Processor_Time) AS CPUUsage WHERE index=mymetrics host=myserver span=5min earliest=-9days@d latest=-1days@d
| timechart span=1h avg(CPUUsage) AS "CPUUsage"
| timewrap w
| where strftime(_time, "%A") == strftime( relative_time(now(), "-2days@d") ,"%A" )

 

View solution in original post

OctoberP
Explorer

Thank you! The approach with 'timewrap' command worked perfectly for me.

0 Karma

eddieddieddie
Path Finder

Hi OctoberP

As suggested the timewrap command should help. The trick here is just showing the two days you're interesting in and not everthing else inbetween (otherwise when it's graphed you have a long empty stretch).

I came up with the following which gets the data for the complete time period where the two days you're interested in overlap, and then time wraps it by a week ('w') so that the two days will overlap when plotted on a graph. The results are then cropped by the where command on the last line to just show the day you're interested in.

| mstats avg(Processor.%_Processor_Time) AS CPUUsage WHERE index=mymetrics host=myserver span=5min earliest=-9days@d latest=-1days@d
| timechart span=1h avg(CPUUsage) AS "CPUUsage"
| timewrap w
| where strftime(_time, "%A") == strftime( relative_time(now(), "-2days@d") ,"%A" )

 

OctoberP
Explorer

Thank you! The approach with 'timewrap' command worked perfectly for me.

Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Calculate the hour from the _time variable and use that as your common x-axis

nyc_jason
Splunk Employee
Splunk Employee

Hello, please have a look at the timewrap command. https://docs.splunk.com/Documentation/Splunk/8.2.1/SearchReference/Timewrap?ref=hk

This may be what youre looking for.

Get Updates on the Splunk Community!

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...

Platform Highlights | January 2023 Newsletter

 January 2023Peace on Earth and Peace of Mind With Business ResilienceAll organizations can start the new year ...