Hy all, here a well known question i a new context.
I am comparing Data over weeks, but it seems that im shifting in a little bit wrong bay old timerange to new range.
Querying over 14 Days shows me a complete, filled timeline with events. So far so good.
After that i am splitting old and new week in the knows ways
doing a double timeshift (for better formatted timelines - shift thisWeek into past - get past Week, shift all 1 week into future).
The additional Table-Command gives me a well formatted table to see my shifts.
But NOW it happens:
Im working on Data over 14 Days, timeline has events everywhere.
Doing the timeshifts im loosing m event older than 10 days, so my Graph for LastWeek shows about the 10th day only zeros.
Wtf happens here ?
Ill tryed to figure out my mistake by different timeranges, mins, hours, 1 + 2 Days work as intented, 4 Days shows the first Glitch, all larger searches loose additional Data.
Using this code:
search = index=sw-syslog sourcetype=syslog sysl_na_device="*" AND sysl_gen_warn="*" earliest=-6d@d latest=-0d@d
| eval ReportKey="thisWeek" | eval _time=_time-(60*60*24*7)
| append [search index=sw-syslog sourcetype=syslog sysl_na_device="*" earliest=-13d@d latest=-6d@d
| eval ReportKey="lastWeek" ]
| table _time sysl_na_device sysl_gen_warn ReportKey | eval _time=_time+(60*60*24*7)
| timechart span=12h count(sysl_gen_warn) AS KPI by ReportKey
Thanks for your time and advice 😉
Greets, Michael
Comparing week-over-week results used to a pain in Splunk, with complex date calculations. No more. Now there is a better way.
I wrote a convenient search command called "timewrap" that does it all, for arbitrary time periods.
... | timechart count span=1h | timewrap w
That's it!
Comparing week-over-week results used to a pain in Splunk, with complex date calculations. No more. Now there is a better way.
I wrote a convenient search command called "timewrap" that does it all, for arbitrary time periods.
... | timechart count span=1h | timewrap w
That's it!
got it, after about 1 week
Thanks for this ideas and hint lguinn ! :
http://answers.splunk.com/answers/60295/comparing-time-ranges-one-report
Based on an idea to run in an autosummarized subsearch i took lguinns approach to "notsubsearching" and build a large search with later timeshifting.
Finally code look great an clear ...
search = index=sw-syslog sourcetype=syslog sysl_bro_device="*" AND sysl_gen_critical="*"
earliest=-17d@d latest=-0d@d
| eval ReportKey="thisWeek"| eval ReportKey=if(_time<=relative_time(now(),"-7d"),"lastWeek",ReportKey)| eval _time=if(ReportKey=="lastWeek",_time+60*60*24*7,_time)
| timechart span=3h count(sysl_gen_critical) AS KPI by ReportKey
and ..... it worked without loss.
By , Mic
Splunk 6,
additional test: no timeshift: all data will be shown
greets again