All Apps and Add-ons

How to improve the performance of my variance timewrap search?

mattusr
Explorer

Hi,

I currently have a search that I use to show day variances using timewrap. It works fine with low amount of data, but I don't believe it is probably the best for efficiency.

My aim for the search is to show today, yesterday, and last week on a line chart.

Search:

index=abc earliest=-8d@d latest=+d@d | timechart span=15m count | timewrap 1d | fields _time latest_day 1day_before 7days_before

Time range:
@d+6h - now

So my search goes and obtains all the previous days and only keeps the 3 I require. If this can be improved, I would appreciate the help.

Thanks

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Give this a try

Updated

 index=abc earliest=-8d@d latest=+d@d | where _time>relative_time(now(),"-1d@d") OR _time<relative_time(now(),"-7d@d") 
| eval Period=case(_time<relative_time(now(),"-7d@d"),"SameDayLastWeek", _time<relative_time(now(),"@d") ,"Yesterday",1=1,"Today")  
| eval _time=case(Period="SameDayLastWeek",relative_time(_time,"+7d"), Period="Yesterday",relative_time(_time,"+1d") ,1=1,_time) | timechart  count by Period 
0 Karma

mattusr
Explorer

Thank you for the response, when I try to run the search I get the following error

Error in eval command. The expression is malformed. Expected ).

Cant spot where the missing bracket should go, I will continue to look as I do not think it is far off.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

There was a comma missing, fixed the same. Also, updated the criteria to simpler version in second eval-case

0 Karma

twinspop
Influencer

This uses 2 sub searches, which means you're running 3 searches at once -- not always optimal. The advantage is that it avoids searching over data you're not using:

index=abc earliest=@d latest=@d+1d| timechart count as Today |
appendcols [ search index=abc earliest=-1d@d latest=@d | timechart count as Yesterday ] |
appendcols [ search index=abc earliest=-7d@d latest=-6d@d | timechart count as LastWeek ]

EDIT: Left out words! Oops.

0 Karma

mattusr
Explorer

Thank you for the answer, when I attempt to run the search i see the following error

Unknown search command 'index'

Therefore I thought that the search may just need the word 'search' adding to it before the index

index=abc earliest=@d latest=@d+1d| timechart count as Today |
appendcols [ search index=abc earliest=-1d@d latest=@d | timechart count as Yesterday ] |
appendcols [ search index=abc earliest=-7d@d latest=-6d@d | timechart count as LastWeek ]

The only issue I had running this search is that it didn't really display the lines on a timechart correctly.

0 Karma

twinspop
Influencer

Re: not displaying correctly... weird. What are you seeing? The 3 commands that are in play should produce exactly the same number of rows of output, so appendcols should line them up perfectly. Maybe try adding a span=1h to each timechart command?

0 Karma

mattusr
Explorer

Sorry for late reply, shame i cant upload a picture but the following happens,

The today line starts at 6 am and runs to the hour which you are running the search in
The last week and yesterday lines seem to line up together and not with the today line

Also the timescale at the bottom covers the today line so it is not in line with the last week and yesterday lines

Hope this makes sense

0 Karma

twinspop
Influencer

Arg! Left out the search commands. Fixed.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...