Splunk Search

Timewrap: Compare last 24 hours to the same day over the last 4 weeks

RMoore01
New Member

I would like to compare the last 24 hours to the same day the previous 4 weeks.

0 Karma
1 Solution

MuS
Legend

Hi RMoore01,

I find the command multisearch really handy for this kind of comparison, also it is a very fast/efficient way to search two different time ranges. Although multisearch uses sub search syntax, it is actually not effected by any sub search limitations - from the docs http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Multisearch

With the multisearch command, the events from each subsearch are interleaved. Therefore the multisearch command is not restricted by the subsearch limitations.

Okay, now for the example; take this run everywhere example to see how it can be done :

| multisearch 
    [ search index=_internal sourcetype=splunkd earliest=-2w@-24h@h latest=-2w@-0h@h 
    | eval event="1", when="then" ] 
    [ search index=_internal sourcetype=splunkd earliest=-24h@h latest=-0h@h 
    | eval event="1", when="now" ] 
    | chart sum(event) AS events over date_hour by when

This will give you a chart with the sum of events over the last 24 hours (second search) and the same time range 2 weeks ago (First search). I had to use 2 weeks because it searches index=_internal 😉

If you add a where to the SPL, you can compare the events and show it in a graph like this:
alt text

Hope this helps ...

cheers, MuS

View solution in original post

MuS
Legend

Hi RMoore01,

I find the command multisearch really handy for this kind of comparison, also it is a very fast/efficient way to search two different time ranges. Although multisearch uses sub search syntax, it is actually not effected by any sub search limitations - from the docs http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Multisearch

With the multisearch command, the events from each subsearch are interleaved. Therefore the multisearch command is not restricted by the subsearch limitations.

Okay, now for the example; take this run everywhere example to see how it can be done :

| multisearch 
    [ search index=_internal sourcetype=splunkd earliest=-2w@-24h@h latest=-2w@-0h@h 
    | eval event="1", when="then" ] 
    [ search index=_internal sourcetype=splunkd earliest=-24h@h latest=-0h@h 
    | eval event="1", when="now" ] 
    | chart sum(event) AS events over date_hour by when

This will give you a chart with the sum of events over the last 24 hours (second search) and the same time range 2 weeks ago (First search). I had to use 2 weeks because it searches index=_internal 😉

If you add a where to the SPL, you can compare the events and show it in a graph like this:
alt text

Hope this helps ...

cheers, MuS

RMoore01
New Member

This is very helpful, but I need the actual date and times instead of date_hour.

0 Karma

MuS
Legend

so, this one will give you the _time but only for the last 24 hours:

| multisearch 
    [ search index=_internal sourcetype=splunkd earliest=-2w@-24h@h latest=-2w@-0h@h 
    | eval event="1", when="then" ] 
    [ search index=_internal sourcetype=splunkd earliest=-24h@h latest=-0h@h 
    | eval event="1", when="now" ] 
| bin _time span=1h 
| fields event when date_hour 
| chart sum(event) AS events values(_time) AS _time over date_hour by when 
| where 'events: now' > 'events: then'  | table "VALUE_time: now" events* | rename "VALUE_time: now" AS _time

the events represented by then are in the same hour just two weeks earlier in this example.

cheers, MuS

0 Karma

MuS
Legend

That will be more difficult, and comparing the results will be complicated as well....but let me try something; there are always options 😉

0 Karma

kmaron
Motivator

when you say "last 24 hours" do you mean a specific DAY like 'Tuesday' or do you mean a rolling 24 hours (like 4pm Monday to 4pm Tuesday)?

0 Karma

RMoore01
New Member

When I say "last 24 hours" I am talking about earliest=now and 24 hours from then and then the same time for the same day the previous 4 weeks.
The start time depends on when I run it, it is not a static variable.
Example:
Sunday 6/10/18 10:37 AM and the last 24 hours.
Sunday 6/03/18 10:37 AM and the last 24 hours.
Sunday 5/27/18 10:37 AM and the last 24 hours.
Sunday 5/20/18 10:37 AM and the last 24 hours.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...