Hello,
I want to know if it's possible to create a chart where there are two periods of time. For example, I want to have a line with the number of hosts for the last year and, on the same chart, a line which is the number of hosts of two years. How can we do a chart of this type????
Thanks by advance,
Laura
Here is a much more elegant solution which can plot all days on the same day in timechart:
| eval series=strftime(_time, "%m-%d") | eval time_delta=(now-_time)/86400,time_day=ceiling(time_delta),_time=_time+time_day*86400 | eval day=case(time_day=0,"Today",time_day=1,"Yesterday",time_day=8,"SD last week") | timechart fixedrange=false sum(count) by day
This allows you to plot any time range by series or to assign nice names in the case statement to each day based on its relation to the current time/day. 86400 is the number of seconds in a day.
Note that if you can get the hang of it, the best way to do this search is to do it in one search pipeline, ie to not use the append
command.
If you run this search over the timerange: -1d@d to now(), it'll get the same results.
I made it a little cautious, so that if the timerange is accidentally set too wide, it'll create a third ReportKey value called "Before Yesterday".
Essentially the idea is to get all the events for the past 2 days off disk, and then use eval, a little conditional logic, and the relative_time() function, to paint different ReportType
values on each event. Then later we use that field as our split-by.
Again, use the TimeRangePicker's 'custom> relative timerange', or 'custom>advanced' mode to set the timerange to -1d@d on the earliest side, and to now() on the latest side.
And then run this search:
tag::source="TokenizerWatchdogSplunk" Service_Type="*" | multikv | eval ReportKey=if(_time>=relative_time(now(), "@d"), "Today", if(_time>=relative_time(now(), "-1d@d", "Yesterday", "Before Yesterday"))| timechart count(Service_Type) as "Number of Services" by ReportKey
Great example of this below.
http://blogs.splunk.com/2012/02/19/compare-two-time-ranges-in-one-report/
No problem. It takes some getting used to. I'll add it as a separate answer. The risk if you use append, is that if the subsearch takes more than 60 seconds to finish then it'll get quietly finalized so you'll have only partial results in the end report. Likewise if the subsearch returns more than 50000 rows, the rest of the yesterday data may be discarded). http://docs.splunk.com/Documentation/Splunk/4.3.2/SearchReference/Append
This my search with the Sdaniel's solution :
tag::source="TokenizerWatchdogSplunk" Service_Type="*"| multikv | eval ReportKey="today" | append [search tag::source="TokenizerWatchdogSplunk" Service_Type="*" | multikv | eval ReportKey="yesterday" ] | timechart count(Service_Type) as "Number of Services" by ReportKey
How can I create the same search with your solution Sideview? I don't understand very well your solution.
it's not the best practice to use append for this. It's far better to do it in one search and paint a 'marker' field onto the events using some conditional eval logic, and then split-by the marker in your chart or timechart...
The example that Jon walks through in the blog shows you an example of how to format a search to get the two time ranges in the same view. Maybe i'm missing something?
Do you know how can I include this in a search????