Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Plot data for two different time ranges in the same visualization?

bigll
Path Finder
‎03-19-2024 01:24 PM

Hi.

I found old article on the subject and followed, but I do not see overlaying charts.
My SPL
-------------
index=firewall sourcetype="collector" fqdn="fw.myorg.com" earliest=-2d@d latest=-1d@d
| multikv
| eval ReportKey=today
| append [search index=firewall sourcetype="collector" fqdn="fw.myorg.com" earliest=-4d@d latest=-3d@d
| multikv
| eval ReportKey=yesterday
| eval _time = _time + 2*86400]
| timechart span=1H count by ReportKey

-------------
So I expect it would report by ReportKey instead it shows by NULL
---
chart1.jpg
-------------
chart.jpg

Labels (4)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎03-19-2024 01:35 PM

A simple mistake. You forgot quotes around values you want to assign to the ReportKey field so Splunk treats those values as field names. As you apparently have no such fields in yoir data you end up with empty (null) values.

View solution in original post

Reply
Solved! Jump to solution

bigll
Path Finder
‎03-19-2024 02:00 PM

I think I got it.
Need properly configure "_time" depend on difference in days i.e. for week long difference 
eval _time = _time + 7*86400.

If I am wrong, please advise.

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎03-19-2024 02:21 PM

You can also try to fiddle with the timewrap command (but that's just a general idea, I don't have any particular solution in mind at the mkment).

0 Karma
Reply
Solved! Jump to solution

bigll
Path Finder
‎03-19-2024 01:48 PM

I see report by ReportKey now, but graph is leaner I wonder how I can get something like one in articale.
image1small[1].png

0 Karma
Reply
Solved! Jump to solution

bigll
Path Finder
‎03-19-2024 01:39 PM

Thank you very much.

0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎03-19-2024 01:35 PM

A simple mistake. You forgot quotes around values you want to assign to the ReportKey field so Splunk treats those values as field names. As you apparently have no such fields in yoir data you end up with empty (null) values.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...