Solved: Wants to compare last 4 hours data with last 2 day...

Sishad · ‎08-13-2024

Hi Splunk experts,

I want to compare the response code of our API for last 4 hours with last 2 days data over the same time.
And if possible I would need results in a chart/table format where it shows the data as below.

<Reponse Codes | Last 4 Hours | Yesterday | Day before Yesterday>

As of now i am getting results in hours wise.
Can we achieve this one in Splunk ? Can you guys please guide me in the right direction to achieve this.

ITWhisperer · ‎08-13-2024

Yes, the timewrap command can take the output from a timechart to create multiple lines over the 4 hour period

View solution in original post

Sishad · ‎08-14-2024

Thanks @ITWhisperer for your suggestion.😊

I was able to do produce the requested data via this command.

ITWhisperer · ‎08-13-2024

Start by changing the time period on your search to (earliest=now-4h latest=now) OR (earliest=-1d-4h latest=-1d) OR (earliest=-2d-4h latest=-2d)

Sishad · ‎08-13-2024

But I was looking to can show these 3 timeline values as a chart/table.
So that I can create a report on this and send out email to my team.
Can this be achieved ?

ITWhisperer · ‎08-13-2024

Yes, the timewrap command can take the output from a timechart to create multiple lines over the 4 hour period

Wants to compare last 4 hours data with last 2 days data over the same time

chart

subsearch

table

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?