Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to compare results of same search for two different time ranges without using timechart?

ashbhaic
Explorer
‎12-19-2014 08:13 AM

I have logs which tell me the service name, time and domain name where this service was called.

I have a query to chart the number of services that were invoked for each domain (channel) as below :

index=realtimelogs earliest=-15m@m | chart count(SERVICE) AS "No. of Services Invoked" by channel

It results in below :

 channel      No. of Services Invoked
    TSYS      1234
Fidelity      2345

I am looking for a single query that can pull the count in two different time intervals so that I can compare the count by channel in those two time ranges. (I am looking for a way to add a new column to the existing result which lists data from a different time range.

I am not looking for plotting the results against time. I just need a side by side comparison.

Reply
1 Solution
Solved! Jump to solution
Solution

ashbhaic
Explorer
‎12-19-2014 08:30 AM

Ok .. so i figured out a way to do this ...
All answers point to use of append but were plotting the data on a timechart. My need is to plot the number of services that were invoked against the channel where they were invoked and do a comparision side by side and append was way too slow.
Below is what I used and gives me exactly what I am looking for :

|multisearch [search index=realtimelogs earliest=-15m@m | eval id="15m back"] [search index=realtimelogs earliest=-30m@m latest=-15m@m | eval id="30m back"] | chart count(SERVICE) by channel id

It plots as a Bar chart (sadly I dont have enought points to post pic here 😞 ) with two bars each channel showing the count of services that were invoked between now-15m back and 15m-30m back.

View solution in original post

Reply
Solved! Jump to solution
Solution

ashbhaic
Explorer
‎12-19-2014 08:30 AM

Ok .. so i figured out a way to do this ...
All answers point to use of append but were plotting the data on a timechart. My need is to plot the number of services that were invoked against the channel where they were invoked and do a comparision side by side and append was way too slow.
Below is what I used and gives me exactly what I am looking for :

|multisearch [search index=realtimelogs earliest=-15m@m | eval id="15m back"] [search index=realtimelogs earliest=-30m@m latest=-15m@m | eval id="30m back"] | chart count(SERVICE) by channel id

It plots as a Bar chart (sadly I dont have enought points to post pic here 😞 ) with two bars each channel showing the count of services that were invoked between now-15m back and 15m-30m back.

Reply
Solved! Jump to solution

Richfez
SplunkTrust
SplunkTrust
‎12-05-2015 07:41 PM

Another way to handle this could be:

index=realtimelogs earliest=-30m@m | bin _time bins=2 | stats count by _time, channel | xyseries _time, channel, count

You can change around the order of the parameters of the xyseries to change what's plotted against what, and bin has more options, like span=15m, log spans and all sorts of other things.

Just another option for people who stumble across this question in the future.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...