Is there a way to timewrap on stats for comparing ...

mikeyty07 · ‎11-28-2023

I am using below query for comparing todays, yesterday and 8days before data, when i use timechart command the timewrap works but when i use on stats I get 2 rows of data where as there will be multiple other URLs to compare, is it possible to compare it with stats? otherwise with timechart it creates a lots of colums with url avg and counts.

<query> URL=*
[| makeresults
| addinfo
| eval row=mvrange(0,3)
| mvexpand row
| eval row=if(row=2,8,row)
| eval earliest=relative_time(info_min_time,"-".row."d")
| eval latest=relative_time(info_max_time,"-".row."d")
| table earliest latest] | eval URL=replace(URL,"/*\d+","/{id}")
| bucket _time span=15m
| stats avg(responseTime) count by URL _time| sort -_time URL | timewrap d

richgalloway · ‎11-28-2023

The timewrap command requires a timechart command be used before it. Use stats if you need to, but be sure to call timechart before calling timewrap.

---
If this reply helps you, Karma would be appreciated.

Is there a way to timewrap on stats for comparing data

eval

stats

timechart

tstats

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR

Are you a member of the Splunk Community?