Splunk Search

Is there a way to timewrap on stats for comparing data

mikeyty07
Communicator

I am using below query for comparing todays, yesterday and 8days before data, when i use timechart command the timewrap works but when i use on stats I get 2 rows of data where as there will be multiple other URLs to compare, is it possible to compare it with stats? otherwise with timechart it creates a lots of colums with url avg and counts.

<query> URL=*
[| makeresults
| addinfo
| eval row=mvrange(0,3)
| mvexpand row
| eval row=if(row=2,8,row)
| eval earliest=relative_time(info_min_time,"-".row."d")
| eval latest=relative_time(info_max_time,"-".row."d")
| table earliest latest] | eval URL=replace(URL,"/*\d+","/{id}")
| bucket _time span=15m
| stats avg(responseTime) count by URL _time| sort -_time URL | timewrap d




Labels (4)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

The timewrap command requires a timechart command be used before it.  Use stats if you need to, but be sure to call timechart before calling timewrap.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...