Splunk Search

Problems comparing 2 Weeks, timeranges get lost

michaelmusiol
New Member

Hy all, here a well known question i a new context.

I am comparing Data over weeks, but it seems that im shifting in a little bit wrong bay old timerange to new range.

Querying over 14 Days shows me a complete, filled timeline with events. So far so good.
After that i am splitting old and new week in the knows ways
doing a double timeshift (for better formatted timelines - shift thisWeek into past - get past Week, shift all 1 week into future).
The additional Table-Command gives me a well formatted table to see my shifts.

But NOW it happens:
Im working on Data over 14 Days, timeline has events everywhere.
Doing the timeshifts im loosing m event older than 10 days, so my Graph for LastWeek shows about the 10th day only zeros.

Wtf happens here ?
Ill tryed to figure out my mistake by different timeranges, mins, hours, 1 + 2 Days work as intented, 4 Days shows the first Glitch, all larger searches loose additional Data.

Using this code:

search = index=sw-syslog sourcetype=syslog sysl_na_device="*" AND sysl_gen_warn="*" earliest=-6d@d latest=-0d@d

| eval ReportKey="thisWeek"      | eval _time=_time-(60*60*24*7) 

| append [search index=sw-syslog sourcetype=syslog sysl_na_device="*" earliest=-13d@d latest=-6d@d 

| eval ReportKey="lastWeek" ] 

| table _time sysl_na_device sysl_gen_warn ReportKey  | eval _time=_time+(60*60*24*7)

| timechart span=12h count(sysl_gen_warn) AS KPI by ReportKey 

Thanks for your time and advice 😉

Greets, Michael

Tags (3)
0 Karma
1 Solution

carasso
Splunk Employee
Splunk Employee

Comparing week-over-week results used to a pain in Splunk, with complex date calculations. No more. Now there is a better way.

I wrote a convenient search command called "timewrap" that does it all, for arbitrary time periods.

... | timechart count span=1h | timewrap w

That's it!

http://apps.splunk.com/app/1645/

View solution in original post

carasso
Splunk Employee
Splunk Employee

Comparing week-over-week results used to a pain in Splunk, with complex date calculations. No more. Now there is a better way.

I wrote a convenient search command called "timewrap" that does it all, for arbitrary time periods.

... | timechart count span=1h | timewrap w

That's it!

http://apps.splunk.com/app/1645/

michaelmusiol
New Member

got it, after about 1 week
Thanks for this ideas and hint lguinn ! :
http://answers.splunk.com/answers/60295/comparing-time-ranges-one-report

Based on an idea to run in an autosummarized subsearch i took lguinns approach to "notsubsearching" and build a large search with later timeshifting.

Finally code look great an clear ...

search = index=sw-syslog sourcetype=syslog sysl_bro_device="*" AND sysl_gen_critical="*"
earliest=-17d@d latest=-0d@d 
| eval ReportKey="thisWeek"| eval ReportKey=if(_time<=relative_time(now(),"-7d"),"lastWeek",ReportKey)| eval _time=if(ReportKey=="lastWeek",_time+60*60*24*7,_time) 

| timechart span=3h count(sysl_gen_critical) AS KPI by ReportKey 

and ..... it worked without loss.

By , Mic

0 Karma

michaelmusiol
New Member

Splunk 6,
additional test: no timeshift: all data will be shown

greets again

0 Karma