Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Timechart comparing values from now and 7 days ago

jawebb
Explorer
‎11-06-2015 03:54 PM

Hello,

I'm trying to show trends using a single value dashboard to compare a count from now and 7 days ago. It seems when I use a one day span and a time frame of 7 days using the xml value <option name="trendInterval">-7d</option> I still get a comparison that counts between the latest data and the previous day. I tried to use a 7 day span instead but that gives me incorrect counts.

index=example | timechart span=1d dc(OfflineDevices) as Offline

Thanks

alt text

Tags (3)
Preview file
11 KB
0 Karma
Reply

mbond81
Engager
‎11-07-2015 05:12 AM

I'm trying to do a similar thing comparing current day values to yesterdays, as an overlay for visualization. Here's what I found (but you can modify the earliest/latest times and the "new time" to reflect whatever timeframe you wish. (found here http://blogs.splunk.com/2012/02/19/compare-two-time-ranges-in-one-report/)

index=whatever sourcetype=whatever "Packetspersecond" sceInfoId=17 OR sceInfoId=18 earliest=-0d@d latest=now | eval ShaperData="today" | append [search index=nethlth sourcetype="nethlth_SceProcessorData" Packetspersecond sceInfoId=17 OR sceInfoId=18 earliest=-1d@d latest=-0d@d | eval ShaperData="yesterday" | eval new_time=_time+86400] | eval _time=if(isnotnull(new_time),new_time,_time) | timechart median(packetsPerSecond) span=15m by ShaperData

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎11-06-2015 04:01 PM

Timewrap will be your friend. The app is here, and in its documentation page it has quite a few tips and tricks and how to use it. Try a few of the examples, see if you can modify one to your needs, and if not, please post back and we'll be sure to help!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...