I'd like to compare a chart of this week's activity to a specific, never changing baseline week.
I would determine which week is the perfect representative week of normal behaviour, say Feb 08 to Feb 14 2016, and then always compare current activity to that one.
I read the following but that does not let me input static date, and if I understand it correctly I whould have to consider everything from feb 08 to today, and get rid of everything inbetween, which does not make a lot of sense.
https://answers.splunk.com/answers/297910/how-to-compare-data-for-specified-absolute-dates-u.html?utm_source=typeahead&utm_medium=newquestion&utm_campaign=no_votes_sort_relev
Any ideas?
EDIT
@Stevelim : thanks, your link looks like what I need to do, however I'm still missing something
http://blogs.splunk.com/2012/02/19/compare-two-time-ranges-in-one-report/
In the example you need to add a day to _time in the second query in order to have them overlap, because it's comparing today with yesterday. In my case I'll have to add the time difference between the current beginning of the week, and the start date of the baseline which never changes.
Here is an example with hours. I'm comparing the current hour to a certain hour:
eventtype=JmxMemoryEvent earliest=-0h@h latest=now | eval pctUsed=round(heapUsed/heapMax*100,0) |eval ReportKey="RightNow" |
append [search eventtype=JmxMemoryEvent earliest=1458846000 latest=1458849600 | eval pctUsed=round(heapUsed/heapMax*100,0) | eval ReportKey="Before"] | timechart avg(pctUsed) by ReportKey
Within the second search I need to do something like
eval _time=_time+(-0h@h from the first search MINUS 1458846000 which is the beginning of reference hour)
I can't find good examples on _time manipulation, and if I find something I'm not sure what -0h@h within the second search will be relative to. Right now or the latest from the timerange of the second search?
... View more