Getting Data In

multiple searches in one graph

nirt
Path Finder

Hi,
I need to create a graph that contains 2 searches, to compare today's search and last week's search
I know there are lot of guides here that explain how to do it, however I'm quite a new splunk user and have tried for the past hours to try and get the graph to show properly however I was not able to product such working search
I was wondering if you guys could assist me in creating such search
My common search is as following:
host="stats" | xmlkv | timechart max(usersCount)

Thank you guys in advance

Tags (1)
1 Solution

carasso
Splunk Employee
Splunk Employee

Comparing week-over-week results used to a pain in Splunk, with complex date calculations. No more. Now there is a better way.

I wrote a convenient search command called "timewrap" that does it all, for arbitrary time periods.

... | timechart count span=1d | timewrap w

That's it!

http://apps.splunk.com/app/1645/

View solution in original post

carasso
Splunk Employee
Splunk Employee

Comparing week-over-week results used to a pain in Splunk, with complex date calculations. No more. Now there is a better way.

I wrote a convenient search command called "timewrap" that does it all, for arbitrary time periods.

... | timechart count span=1d | timewrap w

That's it!

http://apps.splunk.com/app/1645/

nirt
Path Finder

In the tip you have posted it says there is an issue displaying all content of an append search for versions prior to 4.3.1, however I'm using 4.3.3 and still have that issue

this search worked for me: compared yesterday to 2 days ago:
host="stats" earliest=-1d@d latest=-0d@d | xmlkv | eval ReportKey="today" | append maxtime=100 [ search host="stats" earliest=-2d@d latest=-1d@d | xmlkv | eval ReportKey="yesterday" | eval new_time=_time+86400] | eval _time=if(isnotnull(new_time), new_time, _time) | timechart span=10m max(usersCount) by ReportKey

0 Karma

nirt
Path Finder

I'm having problems showing the graph properly when comparing last week's day to today
Each graph shows independatly instead of together
the following search is being used:

host="stats" earliest=-0d@d latest=+1d@d | xmlkv | eval ReportKey="today" | append maxtime=100 [ search host="stats" earliest=-7d@d latest=-6d@d | xmlkv | eval ReportKey="same day last week" | eval new_time=_time+86400] | eval _time=if(isnotnull(new_time), new_time, _time) |
timechart span=20m max(usersCount) by ReportKey

also tried eval new_time=_time+60*60*24*7

any ideas?

0 Karma

nirt
Path Finder

I have read it and came up with this:
host="stats" earliest=-0d@d latest=now | xmlkv | eval ReportKey="today" | append [ search host="stats" earliest=-1d@d latest=-0d@d | xmlkv | eval ReportKey="yesterday" | eval _time=_time+86400 ] | timechart span=10m max(usersCount) by ReportKey

however, the graph does not look right - it shows all of today and then a small portiion of yesterday AFTER today instead in parallel

0 Karma

sdaniels
Splunk Employee
Splunk Employee

Have you read through this? It gives a detailed walk through of one way to do it?

http://blogs.splunk.com/2012/02/19/compare-two-time-ranges-in-one-report/

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...