Splunk Search

Timechart past 24 hours with a 30 day trendline comparison

aohls
Contributor

I have a timechart where I am getting the average of user actions. What I would like to do is have this run for the past 24 hours but have also the historical 30 day or so trendline incorporated. I was attempting something like the following:

sourcetype="user"
| append [ timechart avg(user_time) by user_componentspan=15m limit=0]
| timechart avg(user_time) by user_component span=4week
| timewrap 4week

This doesnt get to where I want though. Additionally I was thinking of creating a trendline but in trying that I cant get it to go back historically beyond my time-range. Is there a better way to accomplish this?

0 Karma

macadminrohit
Contributor

You can probably create a saved search which runs every day and fetches last 30 days data and does the stats or timechart and updates a lookup which then you can use in the search which is run for last 24 hours data. The data in the lookup can server your purpose for a trendline . The benefit of doing this way is you dont have to run the search for last 30 days which will slowdown your overall search.

Saved search for the lookup :

index=yourindex earliest=-30d@d 
| timechart span=4w dc(hdr.userId) as username by user_component limit=0 | outlookup append=false lookupname.csv


Your search for the dashboard :

`index=yourindex earliest=-24h@h 
| timechart span=15m dc(hdr.userId) as username by user_component limit=0 | inputlookup append=true lookupname.csv`
0 Karma

aohls
Contributor

Ideally I did not want to use a lookup. Eventually I would like this fed into a dashboard which has some tokens fed in which would result in multiple lookups being maintained.

0 Karma

macadminrohit
Contributor

Now i get you, if you want to change the time for the trendline dynamically then lookup will not be a good idea.

0 Karma

macadminrohit
Contributor

what kind of scenarios you can think of which can stop you from using lookup. I understand using multiple looks for doing the similar things is not a good idea.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...