Splunk Search

Problems comparing 2 Weeks, timeranges get lost

michaelmusiol
New Member

Hy all, here a well known question i a new context.

I am comparing Data over weeks, but it seems that im shifting in a little bit wrong bay old timerange to new range.

Querying over 14 Days shows me a complete, filled timeline with events. So far so good.
After that i am splitting old and new week in the knows ways
doing a double timeshift (for better formatted timelines - shift thisWeek into past - get past Week, shift all 1 week into future).
The additional Table-Command gives me a well formatted table to see my shifts.

But NOW it happens:
Im working on Data over 14 Days, timeline has events everywhere.
Doing the timeshifts im loosing m event older than 10 days, so my Graph for LastWeek shows about the 10th day only zeros.

Wtf happens here ?
Ill tryed to figure out my mistake by different timeranges, mins, hours, 1 + 2 Days work as intented, 4 Days shows the first Glitch, all larger searches loose additional Data.

Using this code:

search = index=sw-syslog sourcetype=syslog sysl_na_device="*" AND sysl_gen_warn="*" earliest=-6d@d latest=-0d@d

| eval ReportKey="thisWeek"      | eval _time=_time-(60*60*24*7) 

| append [search index=sw-syslog sourcetype=syslog sysl_na_device="*" earliest=-13d@d latest=-6d@d 

| eval ReportKey="lastWeek" ] 

| table _time sysl_na_device sysl_gen_warn ReportKey  | eval _time=_time+(60*60*24*7)

| timechart span=12h count(sysl_gen_warn) AS KPI by ReportKey 

Thanks for your time and advice 😉

Greets, Michael

Tags (3)
0 Karma
1 Solution

carasso
Splunk Employee
Splunk Employee

Comparing week-over-week results used to a pain in Splunk, with complex date calculations. No more. Now there is a better way.

I wrote a convenient search command called "timewrap" that does it all, for arbitrary time periods.

... | timechart count span=1h | timewrap w

That's it!

http://apps.splunk.com/app/1645/

View solution in original post

carasso
Splunk Employee
Splunk Employee

Comparing week-over-week results used to a pain in Splunk, with complex date calculations. No more. Now there is a better way.

I wrote a convenient search command called "timewrap" that does it all, for arbitrary time periods.

... | timechart count span=1h | timewrap w

That's it!

http://apps.splunk.com/app/1645/

michaelmusiol
New Member

got it, after about 1 week
Thanks for this ideas and hint lguinn ! :
http://answers.splunk.com/answers/60295/comparing-time-ranges-one-report

Based on an idea to run in an autosummarized subsearch i took lguinns approach to "notsubsearching" and build a large search with later timeshifting.

Finally code look great an clear ...

search = index=sw-syslog sourcetype=syslog sysl_bro_device="*" AND sysl_gen_critical="*"
earliest=-17d@d latest=-0d@d 
| eval ReportKey="thisWeek"| eval ReportKey=if(_time<=relative_time(now(),"-7d"),"lastWeek",ReportKey)| eval _time=if(ReportKey=="lastWeek",_time+60*60*24*7,_time) 

| timechart span=3h count(sysl_gen_critical) AS KPI by ReportKey 

and ..... it worked without loss.

By , Mic

0 Karma

michaelmusiol
New Member

Splunk 6,
additional test: no timeshift: all data will be shown

greets again

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...