Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Today vs. Yesterday vs. Last Week

ctripod
Explorer
‎10-17-2013 03:58 PM

Hi All,

I have a need to display a timechart which contains negative HTTP status codes (400's and 500's) today, yesterday, and same time last week. I've used append, appendcol, stats, eval, addinfo, etc. and I can't seem to get the best fit. Some timeout on subsearches, some don't make the _time readable and I've tried just about every example possible.

I've tried to break the 3 searches into individual saved searches and build acceleration for each. Any help would be greatly appreciated. Here is the best performing one; that is only for today vs. yesterday which I cannot get the time series display to render nicely, but it performs the best (returning under 5 seconds).

index=access_json status>=400 earliest=-2h@h latest=@h 
| timechart span=1m count as metric | addinfo  
| eval marker = if(_time < info_min_time + 3600, "Last hour", "This hour") 
| eval _time = if(_time < info_min_time + 3600, _time + 3600, _time) 
| chart median(metric) by _time marker

Thanks!

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

carasso
Splunk Employee
Splunk Employee
‎05-21-2014 11:55 AM

Comparing week-over-week results used to a pain in Splunk, with complex date calculations. No more. Now there is a better way.

I wrote a convenient search command called "timewrap" that does it all, for arbitrary time periods.

... | timechart count span=1h | timewrap d

That's it!

http://apps.splunk.com/app/1645/

View solution in original post

Reply
Solved! Jump to solution
Solution

carasso
Splunk Employee
Splunk Employee
‎05-21-2014 11:55 AM

Comparing week-over-week results used to a pain in Splunk, with complex date calculations. No more. Now there is a better way.

I wrote a convenient search command called "timewrap" that does it all, for arbitrary time periods.

... | timechart count span=1h | timewrap d

That's it!

http://apps.splunk.com/app/1645/

Reply
Solved! Jump to solution

lguinn2
Legend
‎10-17-2013 04:41 PM

Try this

index=access_json status>=400 earliest=-7d@d latest=@h 
| eval startToday = relative_time(now(),"-24h@h")
| eval startYesterday = relative_time(now(),"-48h@h")
| eval endLastWeek = relative_time(now(),"-168h@h")
| eval marker = case(_time >= startToday, "Today",
                     _time >=startYesterday,"Yesterday",
                     _time <= endLastWeek,"Last Week",
                     1=1,"Outside Range")
| where marker != "Outside Range"
| eval _time = case(marker="Today",_time,
                    marker="Yesterday",_time+86400,
                    marker="Last Week",_time+(7*86400) )
| timechart fixedrange=f count by marker

I might be a bit off on the time math, but you get the idea. BTW, now() is the time that the search started; you don't have to use addinfo to get it...

Reply
Solved! Jump to solution

tpflicke
Path Finder
‎11-01-2013 04:36 PM

index=access_json status>=400 earliest=-192h@h latest=@h
| eval startToday = relative_time(now(),"-24h@h")
| eval startYesterday = relative_time(now(),"-48h@h")
| eval endLastWeek = relative_time(now(),"-168h@h")
| eval marker = case(_time >= startToday, "Today",
_time >=startYesterday,"Yesterday",
_time <= endLastWeek,"Last Week",
1=1,"Outside Range")
| where marker != "Outside Range"
| eval _time = case(marker="Today",_time,
marker="Yesterday",_time+86400,
marker="Last Week",_time+(7*86400) )
| timechart span=1h fixedrange=f count by marker

0 Karma
Reply
Solved! Jump to solution

john_q
Explorer
‎08-16-2018 12:17 AM

i would like to include prior week as well. i have modified query to like below mentioned but not working??

index=access_json status>=400 earliest=-360h@h latest=@h
| eval startToday = relative_time(now(),"-24h@h")
| eval startYesterday = relative_time(now(),"-48h@h")
| eval endLastWeek = relative_time(now(),"-168h@h")
| eval priorLastWeek = relative_time(now(),"-336h@h")
| eval marker = case(_time >= startToday, "Today",
_time >=startYesterday,"Yesterday",
_time <= endLastWeek,"Last Week",_time <= endLastWeek,"Prior Week",
1=1,"Outside Range")
| where marker != "Outside Range"
| eval _time = case(marker="Today",_time,
marker="Yesterday",_time+86400,
marker="Last Week",_time+(7*86400), marker="Last Week",_time+(14*86400) )
| timechart span=1h fixedrange=f count by marker

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-16-2018 03:21 AM

@john_q This thread is more than four years old with an accepted answer. You have a better chance at getting a good response to your problem if you post a new question.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

tpflicke
Path Finder
‎11-01-2013 04:33 PM

I changed a couple of things to get the query to do exactly as desired: endLastWeek using 168h (i.e. 7 x 24) and earliest=-192h.
The latter got around the unsightly issue of an extra bar due to changing from Summer to Wintertime last weekend. Took me a while to figure where that rogue bar came from.

0 Karma
Reply
Get Updates on the Splunk Community!

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Attention everyone! We have exciting news to share! We are recruiting new members for the Mission Possible: ...

Unify Your SecOps with Splunk Mission Control

In today’s post, I'm excited to share some recent Splunk Mission Control innovations. With Splunk Mission ...

Data Preparation Made Easy: SPL2 for Edge Processor

By now, you may have heard the exciting news that Edge Processor, the easy-to-use Splunk data preparation tool ...