Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Plot graph for previous 2 weekday average

Tester237
Explorer
‎10-03-2023 11:19 PM

Hi, I'm trying to plot graph for previous 2 weekday average. Below is the query used

index="xyz"  sourcetype="abc" app_name="123" or "456" earliest=-15d@d latest=now | rex field=msg "\"[^\"]*\"\s(?<status>\d+)"
| eval HTTP_STATUS_CODE=case(like(status, "2__"),"2xx") 
| eval current_day = strftime(now(), "%A") 
| eval log_day = strftime(_time, "%A") 
| where current_day == log_day
| eval hour=strftime(_time, "%H")
| eval day=strftime(_time, "%d")
| stats count by hour day HTTP_STATUS_CODE 
| chart avg(count) as average by hour HTTP_STATUS_CODE

 This plots grpah for complete 24hrs. 

Tester237_0-1696400235930.png


I wanted to know if I can limit the graph to current timestamp. Say now system time is 11AM. I want graph to be plotted only upto 11AM and not entire 24hrs. Can it be done ? Please advice

Labels (4)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎10-04-2023 12:45 AM

Just to be clear, you are thinking of previous 2-week average by hour of day, not previous 2 weekday average.  Correct?

index="xyz"  sourcetype="abc" app_name="123" or "456" earliest=-15d@d latest=now | rex field=msg "\"[^\"]*\"\s(?<status>\d+)"
| eval current_day = strftime(now(), "%A") 
| eval log_day = strftime(_time, "%A") 
```| where current_day == log_day```
| eval hour=strftime(_time, "%H")
| eval current_hour = strftime(now(), "%H") 
| where hour <= current_hour
| eval day=strftime(_time, "%d")
| stats count by hour day HTTP_STATUS_CODE
| chart avg(count) as average by hour HTTP_STATUS_CODE

Note you cannot have | where current_day == log_day and still get average across multiple days.

Reply

Tester237
Explorer
‎10-04-2023 04:59 AM

@yuanliu I'm looking for previous 2 "weekday" average. 

Consider, today is "Wednesday". I want to plot avg of previous 2 Wednesday's as a comparison against live data. 

Along with this, how can the search be only limited to the time range selected from the time picker ? 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...