Hi,
We have a Database query which runs on every 15 minutes and provide event results with a field by name NumOfOrders which will have the number of orders sold for every 15 minutes as below.
Sample Example
index=”xxxx” sourcetype=”xxx” earliest=-0d@d latest=now | eval ReportKey=”today” | append [search index=”xxxx” sourcetype=”xxx” earliest=-1d@d latest=-0d@d | eval ReportKey=”Yesterday" | eval _time=_time+60*60*24] | timechart span=1h avg(abcsdf) by ReportKey
There are a couple of ways to do this. First, consider downloading the free timewrap app from Splunkbase. It is designed to help with exactly this type of search.
You can also do this:
source="dbmon-dump://Order_Rates/Order_Rates_Total" earliest=-48h
| eval Day=if (_time<relative_time(now(),"-24h"), "Yesterday", "Today")
| eval time=if(Day=="Today",_time,_time+86400)
| chart sum(NumOfOrders) as NumberOfOrders by time Day
| eval time=strftime(time,"%X")
Some comments:
For each event, the second line determines if the event occurred within the last 24 hours, and labels it appropriately with the Day field. Note that now() refers to the time that the search started. Also note that time is recomputed - since you want the two lines to overlap, this is necessary to make the chart look right.
I changed from the values
function to the sum
function - it will probably not make any difference, but if you had a time period with no data or duplicate data, I am not sure that values
will do what you want.
Also, another resource:
http://blogs.splunk.com/2012/02/19/compare-two-time-ranges-in-one-report/
In the blog article, the append
command is used, but that complication is not necessary here. Use the append
technique if you are comparing results from two entirely different searches. But the technique I show here will usually be faster and appropriate for larger data sets as well.
Try like this
source="dbmon-dump://Order_Rates/Order_Rates_Total" earliest=-1d@d | stats values(NumOfOrders) as NumberOfOrders by _time
| eval Day=if(_time<relative_time(now(),"@d"),"Yesterday","Today") | eval _time=if(_time<relative_time(now(),"@d"),_time+86400,_time) | xyseries _time Day NumberOfOrders