Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

multiple searches in one graph

nirt
Path Finder
‎07-12-2012 05:37 AM

Hi,
I need to create a graph that contains 2 searches, to compare today's search and last week's search
I know there are lot of guides here that explain how to do it, however I'm quite a new splunk user and have tried for the past hours to try and get the graph to show properly however I was not able to product such working search
I was wondering if you guys could assist me in creating such search
My common search is as following:
host="stats" | xmlkv | timechart max(usersCount)

Thank you guys in advance

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

carasso
Splunk Employee
Splunk Employee
‎05-21-2014 12:01 PM

Comparing week-over-week results used to a pain in Splunk, with complex date calculations. No more. Now there is a better way.

I wrote a convenient search command called "timewrap" that does it all, for arbitrary time periods.

... | timechart count span=1d | timewrap w

That's it!

http://apps.splunk.com/app/1645/

View solution in original post

Reply
Solved! Jump to solution
Solution

carasso
Splunk Employee
Splunk Employee
‎05-21-2014 12:01 PM

Comparing week-over-week results used to a pain in Splunk, with complex date calculations. No more. Now there is a better way.

I wrote a convenient search command called "timewrap" that does it all, for arbitrary time periods.

... | timechart count span=1d | timewrap w

That's it!

http://apps.splunk.com/app/1645/

Reply
Solved! Jump to solution

nirt
Path Finder
‎07-15-2012 04:59 AM

In the tip you have posted it says there is an issue displaying all content of an append search for versions prior to 4.3.1, however I'm using 4.3.3 and still have that issue

this search worked for me: compared yesterday to 2 days ago:
host="stats" earliest=-1d@d latest=-0d@d | xmlkv | eval ReportKey="today" | append maxtime=100 [ search host="stats" earliest=-2d@d latest=-1d@d | xmlkv | eval ReportKey="yesterday" | eval new_time=_time+86400] | eval _time=if(isnotnull(new_time), new_time, _time) | timechart span=10m max(usersCount) by ReportKey

0 Karma
Reply
Solved! Jump to solution

nirt
Path Finder
‎07-15-2012 07:08 AM

I'm having problems showing the graph properly when comparing last week's day to today
Each graph shows independatly instead of together
the following search is being used:

host="stats" earliest=-0d@d latest=+1d@d | xmlkv | eval ReportKey="today" | append maxtime=100 [ search host="stats" earliest=-7d@d latest=-6d@d | xmlkv | eval ReportKey="same day last week" | eval new_time=_time+86400] | eval _time=if(isnotnull(new_time), new_time, _time) |
timechart span=20m max(usersCount) by ReportKey

also tried eval new_time=_time+60*60*24*7

any ideas?

0 Karma
Reply
Solved! Jump to solution

nirt
Path Finder
‎07-12-2012 06:45 AM

I have read it and came up with this:
host="stats" earliest=-0d@d latest=now | xmlkv | eval ReportKey="today" | append [ search host="stats" earliest=-1d@d latest=-0d@d | xmlkv | eval ReportKey="yesterday" | eval _time=_time+86400 ] | timechart span=10m max(usersCount) by ReportKey

however, the graph does not look right - it shows all of today and then a small portiion of yesterday AFTER today instead in parallel

0 Karma
Reply
Solved! Jump to solution

sdaniels
Splunk Employee
Splunk Employee
‎07-12-2012 06:30 AM

Have you read through this? It gives a detailed walk through of one way to do it?

http://blogs.splunk.com/2012/02/19/compare-two-time-ranges-in-one-report/

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...