Solved: Re: How to create a timechart search to compare th...

chrisduimstra · ‎06-20-2016

I am trying to create a search to show the previous 24 hour count using timechart so I can show the previous 24 hours with a trend on the single value in a dashboard. This dashboard will be used in real-time, so I am looking for previous 24h from the current time, not day by day. I have the following search.

(search) earliest=-48h | timechart span=24h count

I have determined the results are from the previous 48 hours, but the results are not grouped correctly. I'm looking for 2 results, now-24h and 24h-48h. The groups are split over 5pm, no matter what time the search is ran.

_time               count
2016-06-17 17:00    12
2016-06-18 17:00    71
2016-06-19 17:00    55

sundareshr · ‎06-20-2016

Try this

... earliest=-48h | eval when=if(_time>relative_time(now(), "-24h"), "Now", "Prev") | stats count by when

View solution in original post

sundareshr · ‎06-20-2016

Try this

... earliest=-48h | eval when=if(_time>relative_time(now(), "-24h"), "Now", "Prev") | stats count by when

chrisduimstra · ‎06-20-2016

This appears to be working, thank you.

How to create a timechart search to compare the count for the previous 24 hour period from the current time, not day by day?

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!