Splunk Search

How to properly display trend comparison of values over Hour by Day for multiple days?

ten_yard_fight
Path Finder

The following query will display a simple chart for trend comparison. This works well if you keep the days you're comparing =< 4 days.
The Query:

index="my_index"
| search src="all_sources" 
| bin _time as Time
| eval Day=strftime(Time,"%m-%d")
| eval Hour=strftime(Time,"%H") 
| chart eval(round(avg(transfer_duration), 2)) as AvgXferDuration over Hour by Day

The above query will produce the following graph. (as long as its =< 4 days)

alt text

Now, if you increase the days to > 4 days. For example, if you want to see a week's trend (7 days). You will get the following graph. Notice the graph lines become scattered points in the center. (not sure why this happens)

alt text

What is the proper way to display the graph for multiple days? e.g. > 4 days, 7 days, etc.

0 Karma
1 Solution

to4kawa
Ultra Champion
| makeresults count=2 
| streamstats count 
| eval _time = if (count==2,relative_time(_time,"-2month@d"), relative_time(_time,"@d")) 
| makecontinuous _time span=15min 
| eval transfer_duration=random() % 3.50 + .5 

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution." 

| eval Day=strftime(_time,"%m-%d") 
| eval Hour=strftime(_time,"%H") 

| rename COMMENT AS "this is key logic" 

| where _time >relative_time(now(),"-7d@d") 

| chart eval(round(avg(transfer_duration), 2)) as AvgXferDuration over Hour by Day

View solution in original post

to4kawa
Ultra Champion
| makeresults count=2 
| streamstats count 
| eval _time = if (count==2,relative_time(_time,"-2month@d"), relative_time(_time,"@d")) 
| makecontinuous _time span=15min 
| eval transfer_duration=random() % 3.50 + .5 

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution." 

| eval Day=strftime(_time,"%m-%d") 
| eval Hour=strftime(_time,"%H") 

| rename COMMENT AS "this is key logic" 

| where _time >relative_time(now(),"-7d@d") 

| chart eval(round(avg(transfer_duration), 2)) as AvgXferDuration over Hour by Day

ten_yard_fight
Path Finder

Thank you very much @to4kawa . I see where my issue was. Your example helped me pay attention to the details.
Turns out if I DO NOT bin _time, but instead remove it from my query, the chart command processes my transform correctly.

Again, thank you for your suggestion. Please enjoy some of my karma.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...