Splunk Search

Line Chart Overlay based on previous month and previous month-1

ronaldtanhj
Path Finder

Hi,

I would like to compare the data of the previous month to the month before (i.e. now its October, so the default search will show September and August line chart in one panel).

In the edit search portion of the dashboard, I've set the Time Range to 'Tokens' and Earliest Token to "@mon' and Latest Token to '@mon-1'

ronaldtanhj_0-1603177950707.png

ronaldtanhj_1-1603178014296.png

 

May I know how I can include the chart for  Earliest Token of "@mon-1' and Latest Token to '@mon-1' within the same search/panel?

Thanks. 

 

 

Labels (2)
Tags (1)
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

If you are no longer plotting by day of the month but using discrete conditions you don't need to bother with date_mday (unless you are doing two separate plots).

-- base query
| eval month=strftime(_time,"%m")
| stats count as ABC by month condition1 condition2
| eval EFG=round(ABC/1000,3)
| stats sum(EFG) as XYZ by condition1 month
| xyseries condition1 month XYZ

You would normally use xyseries once to set up the table for the plot, it is fine to do calculations can be done before the xyseries (as above). 

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

Depending on your aggregation function (I have used the sum of counts from events)

-- base query
| eval date_mday=printf("%02d",date_mday)
| stats sum(count) as count by date_mday date_month
| xyseries date_mday date_month count

You should set your time period to earliest=-2mon@mon and latest=@mon as previously suggested by @thambisetty 

ronaldtanhj
Path Finder

Hi ITWhisperer,

Thanks for your reply.

I'm trying to understand the your reply but couldn't get the query to work. 

 

I understand that by starting off with earliest=-2mon@mon and latest=-@mon, it bounds the timeframe to current month-1 and current month -2 (i.e now its October, so the data will be between start August and end September"

However, what I couldn't quite understand is the following:

| eval date_mday=printf("%02d",date_mday)

Question 1: May I know what the printf function does and how "%02d" divides the data into August and September?

Question 2: Shouldn't there be 2 of such an 'eval'

i.e 

eval date_1=printf(xxxx, date_1) to set the boundary between start and end August

eval date_2=printf(xxxx, date_2)  to set the boundary between start and end September.

Question 3: Lets say I want to specify a date for date_1 and date_2, how can i change the line? - I've tried eval date_2=printf("1/1/2020, date_2) while setting the timepicker to all time and no defining the 'earliest' and 'latest' at the start - but faced an error message.

 

 

Question 4: What does date_month represent in the case below? Does it not require an 'eval' like when date_mday was defined?

| stats sum(count) as count by date_mday date_month

 for my case, I am performing a series of eval and stats sum by several fields in order to get the final value.

sample:

|stats latest(fieldX) as X, earliest(fieldY) as earliest Y by field1, field2
|eval A=X-Y
|stats sum(A) as B by field 2

I'm trying to plot this value B (a barchart that is based on field 2 which is unique) and compare the different between the previous month and the month before it.

Question 5:  

| xyseries date_mday date_month count

 With my requirement for this, should the plotting of chart be like:
|xyseries date_1 date_2 B

 

Apologies for the long list of question as I am new to Splunk.

 

Thanks in advance.

Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Answer 1: the printf puts a leading zero on date_mday so that the ordering is in numeric order otherwise you would end up with 1, 10, 11, 12, 13, ... 2, 20, 21 etc

Answer 2: no, you want the x-axis to be the same for both lines, which is why the printf above is done.

Answer 3: assuming you have an epoch date, you can format the way it is displayed either by eval or fieldformat date_1=strftime(date_1,"%d/%m/%Y")

Answer 4: date_month (like date_mday) is a field splunk has usually automatically added and in your case would contain one of two values, namely, august and september (which is what you asked for)

Answer 5: xyseries specifies which dimensions you want on the x-axis (day_mday), y-axis (count) and series (date_month) (it might have been better to call it xseriesy to make it easier to remember the order of the parameters!)

0 Karma

ronaldtanhj
Path Finder

Hi ITWhisperer,

Thanks for the detailed explanation.

 

However, I still couldn't get the output I want.

Is there another option to use the 'Chart Overlay' when creating a dashboard? Can i pass another value from another chart to this 'Overlay'?

ronaldtanhj_0-1603784177364.png

 

Thanks.

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Overlay works for one series but your requirement was for two and I don't think you can do that (although I might be wrong).

0 Karma

ronaldtanhj
Path Finder

Hi IT whisperer. 

Thanks for your reply, now I understand how 'xyseries' works. 

I believe what I intend to plot can be done using 'xyseries'

 

This is a sample of requirement on excel.

thumbnail_image.png

With that, I believe that using xyseries, the first input should be 'Item' to represent the item1-6 on the X axis.

Y Y should be Measurement(August or any month that's previously defined) and. 

Is there anyway to define the month?

I've tried briefly but it couldn't work:

E.g. eval prev1mon = strftime( _time, "%M)

..

eval prev2mon =.....

 

|stats sum(X1) as measurement1 by item, prev1mon

|stats sum (X2)  as measurement2 by item, prev2mon

|xyseries item measurement1 measurement2 

 

Is this the correct approach? And how should this be changed to reach my intended output? 

 

Thanks in advance!

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

The time for each event is already broken down for you, as I used in my original response date_mon is the month. Having said that, you appear to be trying to get the month as a number (btw, %M gives minutes, %m gives months). So try:

-- base query
| eval date_mday=printf("%02d",date_mday)
| eval month=strftime(_time,"%m")
| stats sum(count) as count by date_mday month
| xyseries date_mday month count

The stats command will reduce the fields passed down the pipe to only those output by the stats command so

|stats sum(X1) as measurement1 by item, prev1mon
|stats sum (X2)  as measurement2 by item, prev2mon

 won't do what you are expecting as the second stats will have no X2, or prev2mon to work with so you will get no results.

In this instance, creating two different fields, prev1mon and prev2mon is not the right approach since you already have a field which identifies the month each event is from so you can use that in the by clause of the stats command (as I have shown).

0 Karma

ronaldtanhj
Path Finder

 

Hi, 

 

I have tried based on your suggestion but it shows 'no results found' 

 

I have also modified it based on my requirement (there are 2 key conditions and the final graph's xaxis should be shown in a discrete form based on condition1) understand. 

 

-- base query

| eval date_mday=printf("%02d",date_mday) 

| eval month=strftime(_time,"%m") 

 

|stats count as ABC by date_mday, month, condition1, condition2 

 

|eval EFG=round (ABC/1000,3) 

 

|stats sum(EFG) as 'XYZ' by condition1, date_mday, month 

 

|xyseries condition1, date_mday month 

 

| stats sum(count) as count by date_mday month

| xyseries date_mday month count

 

 

Question 1:

Do note that there are some calculations in values in front, will this impact the use of xyseries? 

 

 

Question 2:

Based on your reply 

Answer 5: xyseries specifies which dimensions you want on the x-axis (day_mday), y-axis (count) and series (date_month) (it might have been better to call it xseriesy to make it easier to remember the order of the parameters!) 

 

My requirement is for the X axis to be discrete unique assets and y axis to be a value for 2 different periods. Maybe I can provide u an analogy; 

 

To compare the difference in expenses for different areas over August and september. 

So for this case, the X axis will be transport , leisure and food - represented in 3 separate points.

The y axis will be the value of $$ which was previously calculated based on several conditions. 

The graph will be shown in 2 lines, one red which represents August spendings and one yellow which represents Spetember spends. 

 

 

Question 2:  is your suggestion for this output? There may be some miscommunication. 

 

Thanks!

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

If you are no longer plotting by day of the month but using discrete conditions you don't need to bother with date_mday (unless you are doing two separate plots).

-- base query
| eval month=strftime(_time,"%m")
| stats count as ABC by month condition1 condition2
| eval EFG=round(ABC/1000,3)
| stats sum(EFG) as XYZ by condition1 month
| xyseries condition1 month XYZ

You would normally use xyseries once to set up the table for the plot, it is fine to do calculations can be done before the xyseries (as above). 

ronaldtanhj
Path Finder

Hi,

I'm now able to plot it. Thanks!

 

To add on to that, I currently have it in my dashboard and I am trying to add a picker picker option to set the 2 separate months (might not be in sequence, e.g January Vs June).

 

Since the earliest and latest is defined by -2mon@mon and -0mon@mon, I'm unable modify it. 

 

I've tried using the token in the dashboard but was not able to display the correct month and legend. Any advise on this issue. 

 

Thanks!

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

If your original question is solved, please mark the appropriate answer as the solution.

In answer to your further question, the way I would approach it is to use a time picker input to allow the user to select the required time span. I would use the tokens from this to provide earliest and latest to your main query. I would also use them in a multi-select dropdown to allow the user to pick months from the timeframe, which would also be used in your main query to filter the desired months. If you only want two months, you could do this with two (single select) dropdowns and if the user selects the same month for both, they would only get one line.

0 Karma

thambisetty
SplunkTrust
SplunkTrust

you can use below earliest and latest to consider previous two months 

index=test earliest=-2mon@mon latest=-0mon@mon

you can see below the earliest and latest will consider from starting of August to end of September.

thambisetty_0-1603179001062.png

 

————————————
If this helps, give a like below.

ronaldtanhj
Path Finder

Hi,

Thanks for the reply.

Noted that the earliest and latest command is at the start of the spl.

However, I am trying to compare 2 months of data using a linechart. How can I go about overlaying the charts by setting the earliest and latest point? (i.e. Put August line chart over Sept line chart) - and later on calculating the different and putting it in a separate chart.

Thanks and apologies as I am quite new to Splunk.

Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...