Splunk Search

Timechart trend

gcusello
SplunkTrust
SplunkTrust

I have to show trends in one search: I'd like to have the results of last 24 hours and to compare it with the result of the previous 24 hours.
To do this I used timechart span 24 hours and timerange 48 hours: ...| timechart span=1d count | reverse .
But results are showed by day:
2015-04-03 547
2015-04-02 1032
2015-04-01 621
instead I'd like to have a result like the following:
1384
1259
to show the real trend over 24 hours of the results.

How can I di this?
Thank you.
Bye.
Giuseppe

Tags (2)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

after almost five years I found my answer:

index=wineventlog earliest=-48h
| eval _time=if(_time>relative_time(now(), "-24h"),now(),relative_time(now(), "-24h"))
| timechart span=24h count

Ciao.
Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

after almost five years I found my answer:

index=wineventlog earliest=-48h
| eval _time=if(_time>relative_time(now(), "-24h"),now(),relative_time(now(), "-24h"))
| timechart span=24h count

Ciao.
Giuseppe

vnguyen46
Contributor

Interesting, but it goes back only 48 hours. How to make it 7 days or with a time picker?
My search is:
index=wineventlog earliest=-48h
| eval _time=if(_time>relative_time(now(), "-24h"),now(),relative_time(now(), "-24h"))
| timechart span=24h count by login_status

Thanks,

0 Karma

stephanefotso
Motivator

Take a look at this : index=_internal sourcetype=*| bucket span=24h _time| eval day_month=strftime(_time, "%d/%b")|chart count by day_month

SGF
0 Karma

gcusello
SplunkTrust
SplunkTrust

I have to show the trend over a 24 hours period comparing the occurrences in the last 24 hours with the ones in the 24 hours before, starting from the actual time: so if I start my search at 11 A.M. of the 5th of april, I need to have the result in two periods:
from 2015-04-04 11.00.00 to 2015-04-05 10.59.59
from 2015-04-03 11.00.00 to 2015-04-04 10.59.59

instead timechart divides results only by days
2015-04-05 547
2015-04-04 1032
2015-04-03 621
but probably it isn't possible.

Thank you.
Giuseppe

0 Karma

surekhasplunk
Communicator

hi @gcusello,

I have the same query where i have to show the trend for last 24hrs which is working fine but the count of alerts is coming as of now or today not for last 24hrs . can you please help if you have got any solution .

Here is my query which i am using currently.

myquery | lookup abc.csv Device output Type | where isnotnull(Type) | timechart span=1d count(Status) as Total | trendline sma2(Total) as Trend

0 Karma

ppablo
Retired

Hi @cusello

Have you tried changing the span to span=24h instead?

0 Karma

gcusello
SplunkTrust
SplunkTrust

yes I tried both with span=1d and span=24h (I know that it's the same thing!)
The problem is that timechart divides always results by day, instead I'd like to have a division by span period, but probably it isn't possible.
Thank you.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...