Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Plot graph for previous 2 weekday average

Tester237
Explorer
‎10-03-2023 11:19 PM

Hi, I'm trying to plot graph for previous 2 weekday average. Below is the query used

index="xyz"  sourcetype="abc" app_name="123" or "456" earliest=-15d@d latest=now | rex field=msg "\"[^\"]*\"\s(?<status>\d+)"
| eval HTTP_STATUS_CODE=case(like(status, "2__"),"2xx") 
| eval current_day = strftime(now(), "%A") 
| eval log_day = strftime(_time, "%A") 
| where current_day == log_day
| eval hour=strftime(_time, "%H")
| eval day=strftime(_time, "%d")
| stats count by hour day HTTP_STATUS_CODE 
| chart avg(count) as average by hour HTTP_STATUS_CODE

 This plots grpah for complete 24hrs. 

Tester237_0-1696400235930.png


I wanted to know if I can limit the graph to current timestamp. Say now system time is 11AM. I want graph to be plotted only upto 11AM and not entire 24hrs. Can it be done ? Please advice

Labels (4)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎10-04-2023 12:45 AM

Just to be clear, you are thinking of previous 2-week average by hour of day, not previous 2 weekday average.  Correct?

index="xyz"  sourcetype="abc" app_name="123" or "456" earliest=-15d@d latest=now | rex field=msg "\"[^\"]*\"\s(?<status>\d+)"
| eval current_day = strftime(now(), "%A") 
| eval log_day = strftime(_time, "%A") 
```| where current_day == log_day```
| eval hour=strftime(_time, "%H")
| eval current_hour = strftime(now(), "%H") 
| where hour <= current_hour
| eval day=strftime(_time, "%d")
| stats count by hour day HTTP_STATUS_CODE
| chart avg(count) as average by hour HTTP_STATUS_CODE

Note you cannot have | where current_day == log_day and still get average across multiple days.

Reply

Tester237
Explorer
‎10-04-2023 04:59 AM

@yuanliu I'm looking for previous 2 "weekday" average. 

Consider, today is "Wednesday". I want to plot avg of previous 2 Wednesday's as a comparison against live data. 

Along with this, how can the search be only limited to the time range selected from the time picker ? 

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...