- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to produce a column chart that compares each a...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to produce a column chart that compares each app's data between past 2 weeks?
Hi Team,
I have a requirement where, I need to compare multiple apps' data for past two weeks.
I have app1, app2, app3 ... app10 in my Splunk and I need draw a trend how it looks current week and compare with previous week.
As of now, I am able to do for current week for top 10 apps using below query.
index=data |top 10 apps
This works fine while visualizing as column chart with app names at the bottom of each column chart, I want to add the same app value next to each column bar for current week and last week. It should be something like below.
App1 App1 App2 App2 .................................. App10 App10
currentweek Previousweek currentweek Previousweek -------------------------- currentweek Previousweek
I tried using Timewrap but it works for 1 app but not for multiple apps, as I need to display 10 app, Timewrap with Timechart is creating lot of mess in output.
Can you please let me know if we have any way to achieve this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This makes test results -
| makeresults | eval Week="Prior, 2017-01-23"
| eval App = mvappend("App1", "App2", "App3", "App4", "App3")
| mvexpand App
| streamstats count as value
| eval value = value + 10
| append
[| makeresults | eval Week="Current, 2017-01-30"
| eval App = mvappend("App4", "App2", "App3", "App4", "App6")
| mvexpand App
| streamstats count as value
| eval value = value + 8 ]
this charts them
| chart sum(value) as MyCount over App by Week
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try like this
index=data earliest=-1w@w latest=now
| eval metrics=app.":".if(_time>=relative_time(now(),"@w"),"Current_Week","Last_Week")
| chart count over index by metrics | fields - index
Option 2:
index=data earliest=-1w@w latest=now
| eval period=if(_time>=relative_time(now(),"@w"),"Current_Week","Last_Week")
| chart count over app by period | sort 10 -Current_Week
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi There,
Thanks for the help this works perfectly, if it is calendar week (i.e Sunday to Sunday), however, if we want any custom time frame, for instance, I want to compare last 14 day now.
So This Tuesday to last Tuesday (01/31 to 01/24)as current week and last Tuesday( 01/24 to 01/17 ) to before Tuesday as previous week.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In that case, only thing that you need to update is this the relative_time value. Change it from relative_time(now(),"@w") (which handles on sun-sat weekly) to relative_time(now(),"-7d@d") (which handles on 7 day bucket).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1) Are you just naming the top top apps, or are you reporting stats about them?
2) if something was top 10 last week and not this week, or vice versa, what do you want to do about it?
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
