Solved: Same hour for the last 7 days

kochera · ‎03-24-2014

Hi,

I would like to compare the same hour for the last seven days. Is there a chance of using timewrap for this?

cheers,
Andy

MuS · ‎03-25-2014

Hi kochera,

Yes, you can use timewrap for this. Take a look at this run everywhere example:

index=_internal earliest=-7d@d latest=-0d@d source=*metrics.log | timechart span=1h sum(kb) by series | timewrap w | where strftime(_time, "%H") == "10"

This will get you a nice chart of the sum for kb per series out of the metrics.log and compares the results for each day at hour 10 over the last 7 days.

hope this helps ... and @carasso can agree on this ...

cheers, MuS

View solution in original post

MuS · ‎03-25-2014

Hi kochera,

Yes, you can use timewrap for this. Take a look at this run everywhere example:

index=_internal earliest=-7d@d latest=-0d@d source=*metrics.log | timechart span=1h sum(kb) by series | timewrap w | where strftime(_time, "%H") == "10"

This will get you a nice chart of the sum for kb per series out of the metrics.log and compares the results for each day at hour 10 over the last 7 days.

hope this helps ... and @carasso can agree on this ...

cheers, MuS

linu1988 · ‎03-25-2014

Kristian's one will be efficient as it will get all the required values before creating the chart.

kristian_kolb · ‎03-25-2014

You might even make do with using the date_* default fields;

index=_internal earliest=-7d@d date_hour=10 | stats c by date_mday

It all depends on how you want to process and report on your data.
/k

Same hour for the last 7 days

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms