Bit of a complicated comparison question. I need to compare the revenue of multiple applications over multiple days without appending searches to limit time frames. Sounds simple, but I need those days to be the current weekday compared with the same weekday over the last few weeks (let's say last 3-4 weeks).
An example would be taking the revenue of the top 10 apps out of 50 and viewing their separate trending over "today", Wednesday for the sake of argument, and the last 3 Wednesdays. So each app would show today's revenue so far as well as the revenue for the same day of the last 3 weeks.
If this can be done without appending searches, that would be best.
You could do something like this:
index=_internal earliest=-4w@d latest=@d+d date_wday=`current_wday`
| timechart span=1h count | timewrap d
| fields _* latest_day 7days_before 14days_before 21days_before 28days_before
current_wday
is an eval-based macro defined like this:
strftime(time(), "%A")
timewrap
is available here: http://apps.splunk.com/app/1645/
You could do something like this:
index=_internal earliest=-4w@d latest=@d+d date_wday=`current_wday`
| timechart span=1h count | timewrap d
| fields _* latest_day 7days_before 14days_before 21days_before 28days_before
current_wday
is an eval-based macro defined like this:
strftime(time(), "%A")
timewrap
is available here: http://apps.splunk.com/app/1645/