Splunk Search

Problems comparing 2 Weeks, timeranges get lost

michaelmusiol
New Member

Hy all, here a well known question i a new context.

I am comparing Data over weeks, but it seems that im shifting in a little bit wrong bay old timerange to new range.

Querying over 14 Days shows me a complete, filled timeline with events. So far so good.
After that i am splitting old and new week in the knows ways
doing a double timeshift (for better formatted timelines - shift thisWeek into past - get past Week, shift all 1 week into future).
The additional Table-Command gives me a well formatted table to see my shifts.

But NOW it happens:
Im working on Data over 14 Days, timeline has events everywhere.
Doing the timeshifts im loosing m event older than 10 days, so my Graph for LastWeek shows about the 10th day only zeros.

Wtf happens here ?
Ill tryed to figure out my mistake by different timeranges, mins, hours, 1 + 2 Days work as intented, 4 Days shows the first Glitch, all larger searches loose additional Data.

Using this code:

search = index=sw-syslog sourcetype=syslog sysl_na_device="*" AND sysl_gen_warn="*" earliest=-6d@d latest=-0d@d

| eval ReportKey="thisWeek"      | eval _time=_time-(60*60*24*7) 

| append [search index=sw-syslog sourcetype=syslog sysl_na_device="*" earliest=-13d@d latest=-6d@d 

| eval ReportKey="lastWeek" ] 

| table _time sysl_na_device sysl_gen_warn ReportKey  | eval _time=_time+(60*60*24*7)

| timechart span=12h count(sysl_gen_warn) AS KPI by ReportKey 

Thanks for your time and advice 😉

Greets, Michael

Tags (3)
0 Karma
1 Solution

carasso
Splunk Employee
Splunk Employee

Comparing week-over-week results used to a pain in Splunk, with complex date calculations. No more. Now there is a better way.

I wrote a convenient search command called "timewrap" that does it all, for arbitrary time periods.

... | timechart count span=1h | timewrap w

That's it!

http://apps.splunk.com/app/1645/

View solution in original post

carasso
Splunk Employee
Splunk Employee

Comparing week-over-week results used to a pain in Splunk, with complex date calculations. No more. Now there is a better way.

I wrote a convenient search command called "timewrap" that does it all, for arbitrary time periods.

... | timechart count span=1h | timewrap w

That's it!

http://apps.splunk.com/app/1645/

michaelmusiol
New Member

got it, after about 1 week
Thanks for this ideas and hint lguinn ! :
http://answers.splunk.com/answers/60295/comparing-time-ranges-one-report

Based on an idea to run in an autosummarized subsearch i took lguinns approach to "notsubsearching" and build a large search with later timeshifting.

Finally code look great an clear ...

search = index=sw-syslog sourcetype=syslog sysl_bro_device="*" AND sysl_gen_critical="*"
earliest=-17d@d latest=-0d@d 
| eval ReportKey="thisWeek"| eval ReportKey=if(_time<=relative_time(now(),"-7d"),"lastWeek",ReportKey)| eval _time=if(ReportKey=="lastWeek",_time+60*60*24*7,_time) 

| timechart span=3h count(sysl_gen_critical) AS KPI by ReportKey 

and ..... it worked without loss.

By , Mic

0 Karma

michaelmusiol
New Member

Splunk 6,
additional test: no timeshift: all data will be shown

greets again

0 Karma
Get Updates on the Splunk Community!

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...