Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Plot graph for previous 2 weekday average

Tester237
Explorer
‎10-03-2023 11:19 PM

Hi, I'm trying to plot graph for previous 2 weekday average. Below is the query used

index="xyz"  sourcetype="abc" app_name="123" or "456" earliest=-15d@d latest=now | rex field=msg "\"[^\"]*\"\s(?<status>\d+)"
| eval HTTP_STATUS_CODE=case(like(status, "2__"),"2xx") 
| eval current_day = strftime(now(), "%A") 
| eval log_day = strftime(_time, "%A") 
| where current_day == log_day
| eval hour=strftime(_time, "%H")
| eval day=strftime(_time, "%d")
| stats count by hour day HTTP_STATUS_CODE 
| chart avg(count) as average by hour HTTP_STATUS_CODE

 This plots grpah for complete 24hrs. 

Tester237_0-1696400235930.png


I wanted to know if I can limit the graph to current timestamp. Say now system time is 11AM. I want graph to be plotted only upto 11AM and not entire 24hrs. Can it be done ? Please advice

Labels (4)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎10-04-2023 12:45 AM

Just to be clear, you are thinking of previous 2-week average by hour of day, not previous 2 weekday average.  Correct?

index="xyz"  sourcetype="abc" app_name="123" or "456" earliest=-15d@d latest=now | rex field=msg "\"[^\"]*\"\s(?<status>\d+)"
| eval current_day = strftime(now(), "%A") 
| eval log_day = strftime(_time, "%A") 
```| where current_day == log_day```
| eval hour=strftime(_time, "%H")
| eval current_hour = strftime(now(), "%H") 
| where hour <= current_hour
| eval day=strftime(_time, "%d")
| stats count by hour day HTTP_STATUS_CODE
| chart avg(count) as average by hour HTTP_STATUS_CODE

Note you cannot have | where current_day == log_day and still get average across multiple days.

Reply

Tester237
Explorer
‎10-04-2023 04:59 AM

@yuanliu I'm looking for previous 2 "weekday" average. 

Consider, today is "Wednesday". I want to plot avg of previous 2 Wednesday's as a comparison against live data. 

Along with this, how can the search be only limited to the time range selected from the time picker ? 

 

0 Karma
Reply
Get Updates on the Splunk Community!

AI for AppInspect

We’re excited to announce two new updates to AppInspect designed to save you time and make the app approval ...

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

As we step into 2026, it’s the perfect moment to reflect on what an extraordinary year 2025 was for the Splunk ...

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Overview Enterprise Security 8.3 introduces a powerful new feature called “Entity Risk Scoring” (ERS) for ...