All Apps and Add-ons

Using Timewrap to get a baseline of where the average traffic should be in a time chart based on a week ago and 2 weeks ago

jaywilwk
Engager

index=proxysg sourcetype=proxysg | eval Category=case(like(category,"IBC Allow%"),"IBC",1=1,"Non-IBC") | search Category=IBC Allow | timechart per_second(eval(round(if(Category="IBC",src_bytes,0)*8/1024/1024,2))) AS IBC_Traffic_Mb

Using the timewrap app, I was trying to provide a baseline of what the traffic should be withtin a 30 minute window based on the same 30 minute window from the past 2 weeks ago on the same day. (Ex: compare the current 30 minute window of Wednesday to the a week and two weeks ago 30 minute window of wednesday) Above is my current search that presents a timechart showing Megabits per second over the last 30 minutes.

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi jaywilwk,

how about this:

index=proxysg sourcetype=proxysg earliest=-3w@w latest=-0w@w 
| eval Category=case(like(category,"IBC Allow%"),"IBC",1=1,"Non-IBC") 
| search Category=IBC Allow 
| timechart span=30m per_second(eval(round(if(Category="IBC",src_bytes,0)*8/1024/1024,2))) AS IBC_Traffic_Mb 
| timewrap w | where strftime(_time, "%A") == "Wednesday"

btw, this is taken form the timewrap docs

cheers, MuS

MuS
SplunkTrust
SplunkTrust

Hi jaywilwk,

take this run everywhere example and adapt it to your needs:

index=_internal source=*metrics.log series="splunkd" earliest=-2w@w | timechart span=30m avg(kbps) as avg_kbps by series | timewrap w | eval myTime=relative_time(now(), "-30m@m") | where _time>=myTime

this will compare the last 30 minutes with the last two weeks at the same 30 minutes.

Please mark this as answered by ticking the tick - thanks

0 Karma

MuS
SplunkTrust
SplunkTrust

okay, I can only show you the way to go but I cannot solve your problems, because I don't have your real world events available.
Your base search must go over the last two weeks and you probably need to do some additional filtering in the end to get back only those last 30min

0 Karma

jaywilwk
Engager

I want the timechart to show the current Mb/s average for the last 30 minutes and also show the average same 30 minutes from the last 2 weeks.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...