Solved: Two timecharts for different time frames (today/ye...

dab55 · ‎04-15-2021

Hi all,

I'm trying to create a chart containing two timecharts for different time frames (e.g. today/yesterday). How can I achieve it?

Currently I'm getting it one after another on the same graph. I'd like basically to overlay one timechart on another one.

index=ddos device_event_class_id=Bandwidth earliest=-1d@d latest=-0d@d | rex field=msg "msg=.+raffic.+'(?<pg_name>[\w\s\-]+)'.+(?<bps>\d+\.\d+\s.+)\..+" | eval ReportKey="yersterday" | timechart span=3h count by pg_name | append [search index=ddos device_event_class_id=Bandwidth earliest=-2d@d latest=-1d@d | rex field=msg "msg=.+raffic.+'(?<pg_name>[\w\s\-]+)'.+(?<bps>\d+\.\d+\s.+)\..+" | eval ReportKey="beforeyesterday" | timechart span=3h count by pg_name ] | fillnull value=0 | eval mytime=strftime(_time, "%H:%M") | sort mytime

Thanks in advance.

ITWhisperer · ‎04-15-2021

Try adding:

| timewrap d

View solution in original post

ITWhisperer · ‎04-15-2021

Try adding:

| timewrap d

dab55 · ‎04-15-2021

@ITWhisperer @richgalloway

Thanks a lot!

richgalloway · ‎04-15-2021

Check out the timewrap command.

---
If this reply helps you, Karma would be appreciated.

Two timecharts for different time frames (today/yesterday) on one graph

stats

timechart

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor