Solved: How to create a timechart search to compare the co...

chrisduimstra · ‎06-20-2016

I am trying to create a search to show the previous 24 hour count using timechart so I can show the previous 24 hours with a trend on the single value in a dashboard. This dashboard will be used in real-time, so I am looking for previous 24h from the current time, not day by day. I have the following search.

(search) earliest=-48h | timechart span=24h count

I have determined the results are from the previous 48 hours, but the results are not grouped correctly. I'm looking for 2 results, now-24h and 24h-48h. The groups are split over 5pm, no matter what time the search is ran.

_time               count
2016-06-17 17:00    12
2016-06-18 17:00    71
2016-06-19 17:00    55

sundareshr · ‎06-20-2016

Try this

... earliest=-48h | eval when=if(_time>relative_time(now(), "-24h"), "Now", "Prev") | stats count by when

View solution in original post

sundareshr · ‎06-20-2016

Try this

... earliest=-48h | eval when=if(_time>relative_time(now(), "-24h"), "Now", "Prev") | stats count by when

chrisduimstra · ‎06-20-2016

This appears to be working, thank you.

How to create a timechart search to compare the count for the previous 24 hour period from the current time, not day by day?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases