Splunk Enterprise

How to compare 2 single panel value between 2 different times but between the same hour?

jip31
Motivator

hello

In my dashboard, I need to compare 2 single panel value between 2 different times

The first single panel stats the events on the last 15 minutes like this

 

| stats max(sys_session_count) as session by host 
| stats sum(session) as session 
| table session 

 

Now, what I need to do is to compare this current single panel value with the results one week before during the same slot time

For example, today is the 13 of June and the current hour is 8:15 AM

So in the second single panel, I need to display result for the 6 of June at 8:15

Here is what I am doing

 

`index` sourcetype="system" earliest=-7d@d+7h latest=-7d@d+19h 
| bin _time span=15m 
| eval time=strftime(_time,"%H:%M") 
| stats max(sys_session_count) as session by host time 
| stats sum(session) as session by time
| eval current=now() 
| bin current span=15m 
| eval current=strftime(current,"%H:%M") 
| where time=current
| table session time

 

But I think it's not good because whatever the time is (8:15, 8:30, 8:45...), the results is almot the same

So is anybody have an idea in order to answer to my need correctly?

thanks

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Shouldn't this be

sourcetype="system" earliest=-7d@m-15m latest=-7d@m 

View solution in original post

0 Karma

jip31
Motivator

Is anybody can help please?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

OK I'll ask again. What do you mean by almost the same?

Can you give some examples of the results you are getting and explain why they are not what you expect them to be?

0 Karma

jip31
Motivator

Please forget "almost the same"

Concerning my needs :

In a first search, I sum the number of session on the last 15 minutes like below

<dashboard refresh="60">
  <label>XX</label>
  <search id="session">
    <query>`index` sourcetype="system" 
  </query>
    <refresh>10s</refresh>
    <refreshType>delay</refreshType>
    <earliest>-15m</earliest>
    <latest>now</latest>
  </search>
  <row>
    <panel>
      <single>
        <search base="session">
          <query>| stats max(sys_session_count) as session by host 
| stats sum(session) as session 
| table session 

  Now, I need to do the same thing 7 days before the current day

So here is what I doing

`index` sourcetype="system" earliest=-7d@h latest=-7d@h+15m 
| stats max(sys_session_count) as session by host 
| stats sum(session) as session 
| table session 

But it seems that earliest=-7d@h latest=-7d@h+15m dont display events on the last 15m compared to the current time

what I exactly need  in this second search is to sum the number of session 7 days ago and on the last 15 minutes only

so I am looking for the best way to do this please

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Shouldn't this be

sourcetype="system" earliest=-7d@m-15m latest=-7d@m 
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

What do you mean almost the same? Have you checked the results from 7 days ago?

0 Karma

jip31
Motivator

Except if I am mistaken, the relative time in the search annihilate the time picker choice

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Yes, setting earliest and latest as you have done means that the timepicker is not used.

0 Karma

jip31
Motivator

So for answering your question it changes anything....

0 Karma
Get Updates on the Splunk Community!

Testing out the OpenTelemetry Collector With raw Data

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

New Cloud Intrusion Detection System Add-on for Splunk

In July 2022 Splunk released the Cloud IDS add-on which expanded Splunk capabilities in security and data ...

Happy CX Day to our Community Superheroes!

Happy 10th Birthday CX Day!What is CX Day? It’s a global celebration recognizing innovation and success in the ...