All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I edit my timechart search with timewrap to compare the latest 2 hours with the same 2 hours 3 days ago?

mattusr
Explorer
‎12-11-2015 08:09 AM

Hello,

Sorry if this has been answered before, however, I am struggling with a search that I am trying to build.

The ideal result that I am trying to achieve is the following:

I want a time chart to display the last two hours for a field like duration. In addition to showing the last two hours, I want it to show the same hours, but for the previous 3 days. Therefore, I want to compare the recent/latest two hours with those of the previous days.

I thought I could achieve this with the timewrap app, but I am struggling to write the search

index="main" 
[stats count | eval earliest="-4d" | fields earliest]
[stats count | eval latest="now" | fields latest] 
| timechart avg(duration)
| timewrap d

Please let me know if I have not provided enough information.

0 Karma
Reply

colinmchugo
Explorer
‎07-12-2017 08:15 AM

Hi lads,

I am trying to do a timechart for multiple panels showing trendlines. So at the end of most of my panels i am just counting the count using stats count. I want to show the difference between this reading in the last 12 hours with the previous day or something that will show me that my calculations in parameters and so i know if the log files goes down etc. thanks

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎12-11-2015 07:07 PM

I have reworked a few things, but try this.

NOTE that I have a gap in MY events (it's just my test/home system) from 96 to 98 hours ago, so I had to use a somewhat different time frame then adjust it back - it MAY take a little tweaking to get just right but I think this is it:

index="main" earliest=-98h@h latest=-96h@h 
| append [search index="main" earliest=-2h@h latest=@h]
| timechart span=2h count 
| timewrap h series=short 
| eval percent_difference = 's1'/'s-95'*100 
| rename s-95 AS 4_days_ago s1 AS today

The big difference is I use the hourly timeframe of -96 to -98 hours ago for my "4 days ago" - so I'm taking now - 4 days (snapped to the hour) as my latest, then going back 2 more hours so that I have the most "aligned" time frame, then appending to that data that from the last 2 hours (also snapped to the hour to make the match as good as possible).

Then I timechart it into 2h chunks, then timewrap it by hours (not days - days will separate these out onto two lines for reasons to lengthy even for me to get into here) to get your two fields. I tossed in, free of any extra charge, a freebie that finds the percentage difference between the two sums, so lucky you! Then I just rename some things.

BTW, no guarantees this will not be off by an hour during the 4 days the 4-day period involved spans a daylight savings time change. In fact, I know the "96 hours ago" will be off by one hour during those few days. Not sure how to fix that easily.

There are other methods available, but I think because of the small time frames so widely separated that this is better than most of the others.

Reply

mattusr
Explorer
‎01-06-2016 05:44 AM

Hi,

Thank you so much for a response, I have been away so finally got to test in our production environment.

I am struggling with the search.

To make it clearer would you be able to incorporate the following into your example

Trying to timechart field (time_taken) and want to timechart the average so avg(time_taken)

Hope this make sense!

Thanks

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎01-03-2017 05:07 PM

I just saw this comment - nearly a year later! Sorry!

I am not quite sure I follow, though perhaps I do but don't understand how it would work. Still, if I had to make a guess try changing the timechart in the above to 

timechart sum(time_taken) as total_time_taken, avg(time_taken) as avg_time_taken

Then just follow on with everything else. There are sure to be other minor adjustments, but that should get you started.

If that's not what you need, and you need this question still answered, please reply back with more information!

On the other hand, if this is resolved now and if this helped you significantly, please "Accept" the answer. If this is resolved but my answer didn't help a whole lot, it would be great if you could post your own answer then mark that one accepted!

Thanks,
Rich

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...