Splunk Search

Splunk : chart of two timeperiods

LauraBre
Communicator

Hello,

I want to know if it's possible to create a chart where there are two periods of time. For example, I want to have a line with the number of hosts for the last year and, on the same chart, a line which is the number of hosts of two years. How can we do a chart of this type????

Thanks by advance,

Laura

Tags (2)

landen99
Motivator

Here is a much more elegant solution which can plot all days on the same day in timechart:

| eval series=strftime(_time, "%m-%d") | eval time_delta=(now-_time)/86400,time_day=ceiling(time_delta),_time=_time+time_day*86400 | eval day=case(time_day=0,"Today",time_day=1,"Yesterday",time_day=8,"SD last week") | timechart fixedrange=false sum(count) by day

This allows you to plot any time range by series or to assign nice names in the case statement to each day based on its relation to the current time/day. 86400 is the number of seconds in a day.

0 Karma

sideview
SplunkTrust
SplunkTrust

Note that if you can get the hang of it, the best way to do this search is to do it in one search pipeline, ie to not use the append command.

If you run this search over the timerange: -1d@d to now(), it'll get the same results.
I made it a little cautious, so that if the timerange is accidentally set too wide, it'll create a third ReportKey value called "Before Yesterday".

Essentially the idea is to get all the events for the past 2 days off disk, and then use eval, a little conditional logic, and the relative_time() function, to paint different ReportType values on each event. Then later we use that field as our split-by.

Again, use the TimeRangePicker's 'custom> relative timerange', or 'custom>advanced' mode to set the timerange to -1d@d on the earliest side, and to now() on the latest side.

And then run this search:

tag::source="TokenizerWatchdogSplunk" Service_Type="*" | multikv | eval ReportKey=if(_time>=relative_time(now(), "@d"), "Today", if(_time>=relative_time(now(), "-1d@d", "Yesterday", "Before Yesterday"))| timechart count(Service_Type) as "Number of Services" by ReportKey

sdaniels
Splunk Employee
Splunk Employee

sideview
SplunkTrust
SplunkTrust

No problem. It takes some getting used to. I'll add it as a separate answer. The risk if you use append, is that if the subsearch takes more than 60 seconds to finish then it'll get quietly finalized so you'll have only partial results in the end report. Likewise if the subsearch returns more than 50000 rows, the rest of the yesterday data may be discarded). http://docs.splunk.com/Documentation/Splunk/4.3.2/SearchReference/Append

0 Karma

LauraBre
Communicator

This my search with the Sdaniel's solution :

tag::source="TokenizerWatchdogSplunk" Service_Type="*"| multikv | eval ReportKey="today" | append [search tag::source="TokenizerWatchdogSplunk" Service_Type="*" | multikv | eval ReportKey="yesterday" ] |  timechart count(Service_Type) as "Number of Services"  by ReportKey

How can I create the same search with your solution Sideview? I don't understand very well your solution.

0 Karma

sideview
SplunkTrust
SplunkTrust

it's not the best practice to use append for this. It's far better to do it in one search and paint a 'marker' field onto the events using some conditional eval logic, and then split-by the marker in your chart or timechart...

0 Karma

sdaniels
Splunk Employee
Splunk Employee

The example that Jon walks through in the blog shows you an example of how to format a search to get the two time ranges in the same view. Maybe i'm missing something?

0 Karma

LauraBre
Communicator

Do you know how can I include this in a search????

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...