Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I write a search that displays results for a window of time for different dates? (ex: last 15 min today with last 15 min yesterday)

kylecobb
New Member
‎08-14-2015 08:05 PM

I'm trying to write a search that displays results for a window of time for specified days, weeks, months, etc for comparison.

Example:
If I use the search time range picker to provide me results for the last 15 minutes, I would also like it to provide me results for the last 15 minutes; yesterday.

Trying to build a dashboard to compare results from multiple days.

Thank you!

0 Karma
Reply

acharlieh
Influencer
‎08-14-2015 11:21 PM

Assuming you have separate searches running from one time picker on your dashboard. If your search for today looked like

<your base search> | <other functions> | timechart <statsfunction>

You could have a separate panel search for the same time window yesterday using some subsearch trickery to adjust the earliest and latest timeframe of this search back to yesterday like so:

<your base search> [ noop | stats count 
        | addinfo 
        | eval earliest=relative_time(info_min_time,"-d") 
        | eval latest=relative_time(info_max_time,"-d")
        | fields earliest latest 
        | format "" "" "" "" "" "" ]
| <other functions> | timechart <statsfunction>

How does this subsearch work you might ask? Well noop | stats count in a subsearch is a trick to generate a single event, with a single field of count=0, by running the undocumented "do nothing" noop command, and then counting that nothing with stats. We use addinfo to add fields to our single event about the selected time window for the search, and then use eval to calculate the earliest and latest time based on the selected time window using the relative_time function. We only care about the earliest and latest fields from this subsearch, so we throw the rest away using fields. Finally, as earliest and latest should be written into the search as earliest=### latest=###, with no surrounding parenthesis, no ANDs nor any ORs, we use the format command to do just that.

The rest of the search is the same as written.

Now it might be possible to get this running with multisearch command to run your search twice at the same time, and chart them onto the same graph, but I'm getting some unexpected results with a quick smoke test.

You may also be interested in the timewrap app & command as it would make stuff like this easier 🙂

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...