Timechart comparing values from now and 7 days ago

jawebb · ‎11-06-2015

Hello,

I'm trying to show trends using a single value dashboard to compare a count from now and 7 days ago. It seems when I use a one day span and a time frame of 7 days using the xml value <option name="trendInterval">-7d</option> I still get a comparison that counts between the latest data and the previous day. I tried to use a 7 day span instead but that gives me incorrect counts.

index=example | timechart span=1d dc(OfflineDevices) as Offline

Thanks

mbond81 · ‎11-07-2015

I'm trying to do a similar thing comparing current day values to yesterdays, as an overlay for visualization. Here's what I found (but you can modify the earliest/latest times and the "new time" to reflect whatever timeframe you wish. (found here http://blogs.splunk.com/2012/02/19/compare-two-time-ranges-in-one-report/)

index=whatever sourcetype=whatever "Packetspersecond" sceInfoId=17 OR sceInfoId=18 earliest=-0d@d latest=now | eval ShaperData="today" | append [search index=nethlth sourcetype="nethlth_SceProcessorData" Packetspersecond sceInfoId=17 OR sceInfoId=18 earliest=-1d@d latest=-0d@d | eval ShaperData="yesterday" | eval new_time=_time+86400] | eval _time=if(isnotnull(new_time),new_time,_time) | timechart median(packetsPerSecond) span=15m by ShaperData

Richfez · ‎11-06-2015

Timewrap will be your friend. The app is here, and in its documentation page it has quite a few tips and tricks and how to use it. Try a few of the examples, see if you can modify one to your needs, and if not, please post back and we'll be sure to help!

Timechart comparing values from now and 7 days ago

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector

Adoption of Infrastructure Monitoring at Splunk