Create a report with two different time ranges

vkmurthy · ‎04-22-2019

I have a report created which analyzes my data over the past 30 days.

Then I have a dashboard, with three different searches/panels that analyzes specific data over the last 24 hours.

I would like to put the data from this dashboard into the same report. This would be highly convenient to see everything on one page by Id which is a field. If the data is not available for the past 24 hours, but exists over 30 days, that cell should be empty .

More specifically, in the 30 day report I search for all units that have been online in the past 30 days, and then put them in a table.

Id="*" Status="*" earliest=-30d latest=now
| dedup Id
| table _time Id customer Status Number_of_Days_Since_Comms

in the dashboard, my three searches create sparklines or tables.

Id="*" metrics1="0.0"
|chart sparkline(avg(metrics1)) as "Metrics1 over 24 Hours" by Id

Id="*" metrics2="0.0"
|chart sparkline(avg(metrics2)) as "Metrics2 over 24 Hours" by Id

Id="*" (metrics3<="X" OR metrics4<"Y")
|table _time Id metrics3 metrics4

How can I combine these into a single report?

woodcock · ‎04-23-2019

I have no idea what you really need here. Please edit/comment and add much more detail.

Create a report with two different time ranges

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?

Create a report with two different time ranges

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?