Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Looking at yesterdays data but need to filter the data to only show the time used in the time picker

nelesama
Explorer
‎08-19-2024 02:33 AM

I've got a data set which collects data everyday but for my graph I'd like to compare the time selected to the same duration 24 hours before.

 

I can get the query to do the comparison but I want to be able to show only the timeframe selected in the timepicker i.e. last 30 mins rather then the fill -48hours etc.

 

Below is the query I've used:

index=naming version=2.2.* metric="playing" earliest=-36h latest=now
| dedup _time, _raw
| timechart span=1h sum(value) as value
| timewrap 1d
| rename value_latest_day as "Current 24 Hours", value_1day_before as "Previous 24 Hours"
| foreach * [eval <<FIELD>>=round(<<FIELD>>, 0)]



This is the base query I've used.

For a different version I have done a join however that takes a bit too long to join. Ideally I want to be able to filter the above data (as it's quite quick to load) but only for the time picked in the time picker.

 

Thanks,

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-19-2024 03:01 AM

Try starting with something like this

index=naming version=2.2.* metric="playing" [| makeresults
| fields - _time
| addinfo
| eval day=mvrange(0,2)
| mvexpand day
| eval earliest=relative_time(info_min_time,"-".day."d")
| eval latest=relative_time(info_max_time,"-".day."d")
| fields earliest latest]

View solution in original post

0 Karma
Reply
Solved! Jump to solution

nelesama
Explorer
‎08-19-2024 06:35 AM

@ITWhisperer what would I need to do if I wanted to look at a bigger window? 

My max would be to pick 7 days in my time picker, how would i edit the above to look at that?

Thank you in advance

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-19-2024 06:59 AM

Your requirement is unclear - do you want your 30 minutes for the last 7 days, or 30 minutes and 30 minutes 7 days ago, or 7 days and a different 7 days from some other point in the past?

0 Karma
Reply
Solved! Jump to solution

nelesama
Explorer
‎08-19-2024 07:09 AM

Sorry for the unclear message, I'd like to select whatever duration in the time picker i.e. last 30 mins / last 7 days and be able to look at the past data for the time period.

So for the 30 mins today, I'd look at today's 30 mins and then compare yesterdays 30 mins. Your query actually helps me do that however seems like there's a limit of 48 hours.

In the time picker, I'd like to use the above to select (max) 7 days worth of data and look at the previous 7 days worth of data for that.

If I wanted to do that would that be a different query or could I do that by editing the above query.

Please do let me know if that was unclear

Thanks,

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-19-2024 09:56 AM

Essentially, the mvrange and mvexpand gives you two events one with row equal to zero and one with row equal to one. If you can use these to calculate how far back you want the send event to be based on the difference between the info_min_time and info_max_time (which are returned by addinfo), you can modify the calculation for earliest and latest appropriately. Hopefully that makes sense.

0 Karma
Reply
Solved! Jump to solution

nelesama
Explorer
‎08-19-2024 05:02 AM

thank you @ITWhisperer that's perfect and hasn't slowed down my query!

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-19-2024 03:01 AM

Try starting with something like this

index=naming version=2.2.* metric="playing" [| makeresults
| fields - _time
| addinfo
| eval day=mvrange(0,2)
| mvexpand day
| eval earliest=relative_time(info_min_time,"-".day."d")
| eval latest=relative_time(info_max_time,"-".day."d")
| fields earliest latest]
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...