Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

To append or to appendcols? Timecharting same search over different time period

cburr2012
Path Finder
‎08-14-2012 12:25 PM

Hello Splunkers,

I've seen a few questions and one blog post about this topic.

Goal: Look at the trend of one user's activity over a specified period of time (a week in this example) and look at the trend of that same user's activity over a different period of time.

Problem: I don't know if I should be using append or appendcols. Currently I am only seeing what amounts to borderline results with appendcols. When I put in my query, whichever search I put first (i.e. not the subsearch) I get that output on the timechart. I don't see the subsearch's trendline, even though it shows up in the legend. I think it is because the timechart doesn't span the dates required to view the subsearch.

Query short-hand: 

index=myIndex sourcetype=myType earliest=-7d@h latest=now "Query OR This" | rex me.here | timechart span=1d count(account_name) AS This_Week | appendcols [ search maxtime=500 timeout=500 index=myIndex sourcetype=myType  earliest=-14d@h latest=-7d@h "Query OR This" | rex me.here | timechart span=1d count(account_name) AS Last_Week ]

Thanks for the help in advance.

Reply

dwaddle
SplunkTrust
SplunkTrust
‎08-15-2012 07:23 AM

I would refer to this as a (perhaps) cleaner approach to this: http://splunk-base.splunk.com/answers/2712/line-chart-comparing-yesterdays-result-with-todays-result...

No subsearches or appends are required at all, as long as you are looking at consecutive (days/weeks/months). You will need append to do "first week of this month" compared to "first week of last month"

Reply

cburr2012
Path Finder
‎08-15-2012 08:56 AM

I assume you were pointing me to the most voted answer? There were quite a few answers in there with different approaches and results. Still tinkering trying to get a solution for this.

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...