Splunk Search

Timewrap: Compare last 24 hours to the same day over the last 4 weeks

RMoore01
New Member

I would like to compare the last 24 hours to the same day the previous 4 weeks.

0 Karma
1 Solution

MuS
Legend

Hi RMoore01,

I find the command multisearch really handy for this kind of comparison, also it is a very fast/efficient way to search two different time ranges. Although multisearch uses sub search syntax, it is actually not effected by any sub search limitations - from the docs http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Multisearch

With the multisearch command, the events from each subsearch are interleaved. Therefore the multisearch command is not restricted by the subsearch limitations.

Okay, now for the example; take this run everywhere example to see how it can be done :

| multisearch 
    [ search index=_internal sourcetype=splunkd earliest=-2w@-24h@h latest=-2w@-0h@h 
    | eval event="1", when="then" ] 
    [ search index=_internal sourcetype=splunkd earliest=-24h@h latest=-0h@h 
    | eval event="1", when="now" ] 
    | chart sum(event) AS events over date_hour by when

This will give you a chart with the sum of events over the last 24 hours (second search) and the same time range 2 weeks ago (First search). I had to use 2 weeks because it searches index=_internal 😉

If you add a where to the SPL, you can compare the events and show it in a graph like this:
alt text

Hope this helps ...

cheers, MuS

View solution in original post

MuS
Legend

Hi RMoore01,

I find the command multisearch really handy for this kind of comparison, also it is a very fast/efficient way to search two different time ranges. Although multisearch uses sub search syntax, it is actually not effected by any sub search limitations - from the docs http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Multisearch

With the multisearch command, the events from each subsearch are interleaved. Therefore the multisearch command is not restricted by the subsearch limitations.

Okay, now for the example; take this run everywhere example to see how it can be done :

| multisearch 
    [ search index=_internal sourcetype=splunkd earliest=-2w@-24h@h latest=-2w@-0h@h 
    | eval event="1", when="then" ] 
    [ search index=_internal sourcetype=splunkd earliest=-24h@h latest=-0h@h 
    | eval event="1", when="now" ] 
    | chart sum(event) AS events over date_hour by when

This will give you a chart with the sum of events over the last 24 hours (second search) and the same time range 2 weeks ago (First search). I had to use 2 weeks because it searches index=_internal 😉

If you add a where to the SPL, you can compare the events and show it in a graph like this:
alt text

Hope this helps ...

cheers, MuS

RMoore01
New Member

This is very helpful, but I need the actual date and times instead of date_hour.

0 Karma

MuS
Legend

so, this one will give you the _time but only for the last 24 hours:

| multisearch 
    [ search index=_internal sourcetype=splunkd earliest=-2w@-24h@h latest=-2w@-0h@h 
    | eval event="1", when="then" ] 
    [ search index=_internal sourcetype=splunkd earliest=-24h@h latest=-0h@h 
    | eval event="1", when="now" ] 
| bin _time span=1h 
| fields event when date_hour 
| chart sum(event) AS events values(_time) AS _time over date_hour by when 
| where 'events: now' > 'events: then'  | table "VALUE_time: now" events* | rename "VALUE_time: now" AS _time

the events represented by then are in the same hour just two weeks earlier in this example.

cheers, MuS

0 Karma

MuS
Legend

That will be more difficult, and comparing the results will be complicated as well....but let me try something; there are always options 😉

0 Karma

kmaron
Motivator

when you say "last 24 hours" do you mean a specific DAY like 'Tuesday' or do you mean a rolling 24 hours (like 4pm Monday to 4pm Tuesday)?

0 Karma

RMoore01
New Member

When I say "last 24 hours" I am talking about earliest=now and 24 hours from then and then the same time for the same day the previous 4 weeks.
The start time depends on when I run it, it is not a static variable.
Example:
Sunday 6/10/18 10:37 AM and the last 24 hours.
Sunday 6/03/18 10:37 AM and the last 24 hours.
Sunday 5/27/18 10:37 AM and the last 24 hours.
Sunday 5/20/18 10:37 AM and the last 24 hours.

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...