Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Need to Create Two Time Series in One Chart

msettipane
Splunk Employee
Splunk Employee
‎11-28-2012 07:26 AM

Answer below.

0 Karma
Reply

msettipane
Splunk Employee
Splunk Employee
‎11-28-2012 07:27 AM

Credit to Dritan.

Plotting two time-series in one chart is a frequent ask from many of our customers. After several related questions/requests in chat and mailing lists I decided to create and share three macros to facilitate this. They draw two time-series graphs by using a single search while manipulating the _time field and then keying the series off of a new field. Of course, there are several ways to achieve this, as witnessed in Answers and elsewhere, so feel free to modify as necessary. But whatever smart changes and improvements you make (such as parametrize even further ex. the time range, the span etc), please share.

macros.conf

hour over hour compare, 1m span

[twoseries_h(2)]
args = search, measure
definition = $search$ earliest=-1h@h \
| bin span=1m _time\
| addinfo\
| eval marker = if(_time < info_min_time + 3600, "Last Hour", "Current Hour") \
| eval _time = if(_time < info_min_time + 3600, _time + 3600, _time) \
| chart $measure$ by _time marker
iseval = 0

day over day compare, 15m span

[twoseries_d(2)]
args = search, measure
definition = $search$ earliest=-1d@d \
| bin span=15m _time\
| addinfo\
| eval marker = if(_time < info_min_time + 24*3600, "Yesterday", "Today") \
| eval _time = if(_time < info_min_time + 24*3600, _time + 24*3600, _time) \
| chart $measure$ by _time marker
iseval = 0

week over week compare, 1h span

[twoseries_w(2)]
args = search, measure
definition = $search$ earliest=-1w@w\
| bin span=1h _time\
| addinfo\
| eval marker = if(_time < info_min_time + 7*24*3600, "Last Week", "Current Week") \
| eval _time = if(_time < info_min_time + 7*24*3600, _time + 7*24*3600, _time) \
| chart $measure$ by _time marker
iseval = 0

Sample Searches:

Event Count: Current Hour vs. Last Hour

twoseries_h("index=_internal", count)

Indexing Thruput: Today vs. Yesterday
twoseries_d("index=_internal group=per_index_thruput series=_internal", "avg(kbps)")

Started Searches: Current Week vs. Last Week
twoseries_w("index=_internal source=*metrics.log group=searchscheduler", "sum(dispatched)")

More info here:
http://blogs.splunk.com/2012/02/19/compare-two-time-ranges-in-one-report/
http://splunk-base.splunk.com/answers/11350/2-searches-1-chart
http://splunk-base.splunk.com/answers/23345/2-searches-1-graph
http://splunk-base.splunk.com/answers/2712/line-chart-comparing-yesterdays-result-with-todays-result...

Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...