Hello Splunkers,
I've seen a few questions and one blog post about this topic.
Goal: Look at the trend of one user's activity over a specified period of time (a week in this example) and look at the trend of that same user's activity over a different period of time.
Problem: I don't know if I should be using append or appendcols. Currently I am only seeing what amounts to borderline results with appendcols. When I put in my query, whichever search I put first (i.e. not the subsearch) I get that output on the timechart. I don't see the subsearch's trendline, even though it shows up in the legend. I think it is because the timechart doesn't span the dates required to view the subsearch.
Query short-hand:
index=myIndex sourcetype=myType earliest=-7d@h latest=now "Query OR This" | rex me.here | timechart span=1d count(account_name) AS This_Week | appendcols [ search maxtime=500 timeout=500 index=myIndex sourcetype=myType earliest=-14d@h latest=-7d@h "Query OR This" | rex me.here | timechart span=1d count(account_name) AS Last_Week ]
Thanks for the help in advance.
I would refer to this as a (perhaps) cleaner approach to this: http://splunk-base.splunk.com/answers/2712/line-chart-comparing-yesterdays-result-with-todays-result...
No subsearches or append
s are required at all, as long as you are looking at consecutive (days/weeks/months). You will need append
to do "first week of this month" compared to "first week of last month"
I assume you were pointing me to the most voted answer? There were quite a few answers in there with different approaches and results. Still tinkering trying to get a solution for this.