I've been stuck on this for a bit and need some advice. I have it partially working, but I'm trying to figure out if there's a better way of achieving what I need. I'm using a timerangepicker and I'm getting the "now-x" error. So what I'm doing is comparing let's say the past 60 minutes vs the previous day vs the previous week in the same time period. The "current" needs to be dynamic so I can select let's say for the past 2 hours vs the past 2 hours from the previous day (and previous week). Currently, I'm using an eval to create the earliest and latest (for the subsearch) and then a where to filter out the time period. I would prefer to have the earliest and latest set globally as I have multiple dashboards that utilize comparing current w/ previous weeks..Any advice?
Pardon the poor search..I'm still a noob with this:
index=anyindex earliest=-60m latest=now | eval label= "current" | timechart span=5m count by label| appendcols [ search index=anyindex | eval earliesttime=relativetime(now(),"-60m-24h") | eval latesttime=if($range.latest$=="now",relativetime(now(),"-24h"),relativetime(now(),"$range.latest$-24h")) | where _time>earliesttime and time<=latesttime | eval label= "day ago" | timechart span=5m count by label]
Nope - this answer won't work!! Why? Because Splunk runs the inner search using the same info from the timerange picker as the outer search - so the data that you want has already been excluded by the time you get to the
Here is a more general way of writing your search:
index=anyindex | eval label= "current" | timechart span=5m count by label | appendcols [ search index=anyindex | eval comparison="-1d" | eval label= "day ago" | addinfo | eval earliest_time=relative_time(info_min_time,comparison) | eval latest_time=relative_time(info_max_time,comparison) | where _time>earliest_time and _time<=latest_time | timechart span=5m count by label ]
Note the line
| eval comparison="-1d" | eval label= "day ago". This is where the comparison range is set. If you were to make this into a form search, you would be able to add a drop-down that let someone pick a day, a week, etc. and substitute that value into the appropriate line.
Another brainstorm - If you want to do this as a form search, go to Settings -> User Interface -> Views. Create a new view, and copy/paste this into the box
<form> <label>Test</label> <searchTemplate> <![CDATA[ index=anyindex earliest=$search_time.earliest$ latest=$search_time.latest$ | eval label= "Current" | timechart span=5m count by label | appendcols [ search index=*=anyindex earliest=$search_time.earliest$-$time_comparison$ latest=$search_time.latest$-$time_comparison$ | addinfo | eval label = "From " + strftime(info_min_time,"%x %X") + " to " + strftime(info_max_time,"%x %X") | timechart span=5m count by label ] ]]></searchTemplate> <fieldset> <input type="time" token="search_time" searchWhenChanged="false"> <label>Search over</label> <default> <earliestTime>-1h@h</earliestTime> <latestTime>@h</latestTime> </default> </input> <input type="dropdown" token="time_comparison"> <label>Compare with Previous</label> <choice value="1h">Hour</choice> <choice value="1d">Day</choice> <choice value="1w">Week</choice> <default>1h</default> </input> </fieldset> <row> <panel> <chart> <title>Comparison with previous $time_comparison$</title> <option name="charting.chart">line</option> </chart> </panel> </row> <row> <panel> <table> <title>Table of comparison with previous $time_comparison$</title> <option name="count">20</option> </table> </panel> </row> </form>
Then try it out. The name of the view is Test, so that is probably what you should name it (so things don't get confusing).
I am New bee. I tried to follow the above post and I am getting the error not a valid value for earliest (date's equivalent number -1 ) / latest (now-1w); Any help is appreciated.
If you don't want to do a form search, you can explicitly set the time ranges that you want in the two searches:
index=anyindex earliest=-1h@h latest=@h | eval label= "current" | timechart span=5m count by label | appendcols [ search index=anyindex earliest=-2h@h latest=-1h@h | eval label= "hour ago" | timechart span=5m count by label ]
This is the simplest answer, but the least flexible.
Thanks! This is awesome...though, I still get the "now" error: Invalid value "now-1d" for time term 'latest'..I understand that setting time to @h or something fixes it, but I can't guarantee users won't select now. Is there a way around that?
Thanks again!! This is wonderful!