Hi,
I currently have a search that I use to show day variances using timewrap. It works fine with low amount of data, but I don't believe it is probably the best for efficiency.
My aim for the search is to show today, yesterday, and last week on a line chart.
Search:
index=abc earliest=-8d@d latest=+d@d | timechart span=15m count | timewrap 1d | fields _time latest_day 1day_before 7days_before
Time range:
@d+6h - now
So my search goes and obtains all the previous days and only keeps the 3 I require. If this can be improved, I would appreciate the help.
Thanks
Give this a try
Updated
index=abc earliest=-8d@d latest=+d@d | where _time>relative_time(now(),"-1d@d") OR _time<relative_time(now(),"-7d@d")
| eval Period=case(_time<relative_time(now(),"-7d@d"),"SameDayLastWeek", _time<relative_time(now(),"@d") ,"Yesterday",1=1,"Today")
| eval _time=case(Period="SameDayLastWeek",relative_time(_time,"+7d"), Period="Yesterday",relative_time(_time,"+1d") ,1=1,_time) | timechart count by Period
Thank you for the response, when I try to run the search I get the following error
Error in eval command. The expression is malformed. Expected ).
Cant spot where the missing bracket should go, I will continue to look as I do not think it is far off.
There was a comma missing, fixed the same. Also, updated the criteria to simpler version in second eval-case
This uses 2 sub searches, which means you're running 3 searches at once -- not always optimal. The advantage is that it avoids searching over data you're not using:
index=abc earliest=@d latest=@d+1d| timechart count as Today |
appendcols [ search index=abc earliest=-1d@d latest=@d | timechart count as Yesterday ] |
appendcols [ search index=abc earliest=-7d@d latest=-6d@d | timechart count as LastWeek ]
EDIT: Left out words! Oops.
Thank you for the answer, when I attempt to run the search i see the following error
Unknown search command 'index'
Therefore I thought that the search may just need the word 'search' adding to it before the index
index=abc earliest=@d latest=@d+1d| timechart count as Today |
appendcols [ search index=abc earliest=-1d@d latest=@d | timechart count as Yesterday ] |
appendcols [ search index=abc earliest=-7d@d latest=-6d@d | timechart count as LastWeek ]
The only issue I had running this search is that it didn't really display the lines on a timechart correctly.
Re: not displaying correctly... weird. What are you seeing? The 3 commands that are in play should produce exactly the same number of rows of output, so appendcols
should line them up perfectly. Maybe try adding a span=1h
to each timechart
command?
Sorry for late reply, shame i cant upload a picture but the following happens,
The today line starts at 6 am and runs to the hour which you are running the search in
The last week and yesterday lines seem to line up together and not with the today line
Also the timescale at the bottom covers the today line so it is not in line with the last week and yesterday lines
Hope this makes sense
Arg! Left out the search commands. Fixed.