Hi Team,
I have a requirement where, I need to compare multiple apps' data for past two weeks.
I have app1, app2, app3 ... app10 in my Splunk and I need draw a trend how it looks current week and compare with previous week.
As of now, I am able to do for current week for top 10 apps using below query.
index=data |top 10 apps
This works fine while visualizing as column chart with app names at the bottom of each column chart, I want to add the same app value next to each column bar for current week and last week. It should be something like below.
App1 App1 App2 App2 .................................. App10 App10
currentweek Previousweek currentweek Previousweek -------------------------- currentweek Previousweek
I tried using Timewrap but it works for 1 app but not for multiple apps, as I need to display 10 app, Timewrap with Timechart is creating lot of mess in output.
Can you please let me know if we have any way to achieve this?
This makes test results -
| makeresults | eval Week="Prior, 2017-01-23"
| eval App = mvappend("App1", "App2", "App3", "App4", "App3")
| mvexpand App
| streamstats count as value
| eval value = value + 10
| append
[| makeresults | eval Week="Current, 2017-01-30"
| eval App = mvappend("App4", "App2", "App3", "App4", "App6")
| mvexpand App
| streamstats count as value
| eval value = value + 8 ]
this charts them
| chart sum(value) as MyCount over App by Week
Try like this
index=data earliest=-1w@w latest=now
| eval metrics=app.":".if(_time>=relative_time(now(),"@w"),"Current_Week","Last_Week")
| chart count over index by metrics | fields - index
Option 2:
index=data earliest=-1w@w latest=now
| eval period=if(_time>=relative_time(now(),"@w"),"Current_Week","Last_Week")
| chart count over app by period | sort 10 -Current_Week
Hi There,
Thanks for the help this works perfectly, if it is calendar week (i.e Sunday to Sunday), however, if we want any custom time frame, for instance, I want to compare last 14 day now.
So This Tuesday to last Tuesday (01/31 to 01/24)as current week and last Tuesday( 01/24 to 01/17 ) to before Tuesday as previous week.
In that case, only thing that you need to update is this the relative_time value. Change it from relative_time(now(),"@w")
(which handles on sun-sat weekly) to relative_time(now(),"-7d@d")
(which handles on 7 day bucket).
1) Are you just naming the top top apps, or are you reporting stats about them?
2) if something was top 10 last week and not this week, or vice versa, what do you want to do about it?