Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

superimposed timeline chart comparing the latest and last week data

prajwal_94
Explorer
‎05-09-2021 01:13 AM

For the below query, searching for the values of 2nd occurence of earliest and latest events so that the timechart would return superimposed data from current time minus 2hrs and last week data for same time frame(2hrs).

index=sample sourcetype=hello "*abc*" earliest=-120m@m latest=now | multikv | eval ReportKey="today" | append [ search index=sample sourcetype=hello "*abc*" earliest=... latest=... | multikv | eval ReportKey="lastweek" | eval _time=_time+86400] | timechart span=5m count by ReportKey usenull=false useother=false

 

Thanks in advance!

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-09-2021 02:50 AM

Timechart seems to try to be clever and determine the earliest searched time, despite any manipulation done to the _time field, so use bin and chart instead. However, bear in mind that the chart will start from the earliest event time (adjusted) and not necessarily from the earliest time searched.

index=_internal earliest=-2h@m latest=@m
| eval ReportKey="Today"
| append
    [search index=_internal earliest=-2h-7d@m latest=-7d@m
    | eval ReportKey="Last week"
    | eval _time=relative_time(_time,"+7d")]
| bin span=5m _time
| chart count by _time ReportKey

 

View solution in original post

Reply
Solved! Jump to solution

prajwal_94
Explorer
‎05-09-2021 04:00 AM

Thank you so much @ITWhisperer , it worked!

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-09-2021 02:50 AM

Timechart seems to try to be clever and determine the earliest searched time, despite any manipulation done to the _time field, so use bin and chart instead. However, bear in mind that the chart will start from the earliest event time (adjusted) and not necessarily from the earliest time searched.

index=_internal earliest=-2h@m latest=@m
| eval ReportKey="Today"
| append
    [search index=_internal earliest=-2h-7d@m latest=-7d@m
    | eval ReportKey="Last week"
    | eval _time=relative_time(_time,"+7d")]
| bin span=5m _time
| chart count by _time ReportKey

 

Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...