Splunk Search

To append or to appendcols? Timecharting same search over different time period

cburr2012
Path Finder

Hello Splunkers,

I've seen a few questions and one blog post about this topic.

Goal: Look at the trend of one user's activity over a specified period of time (a week in this example) and look at the trend of that same user's activity over a different period of time.

Problem: I don't know if I should be using append or appendcols. Currently I am only seeing what amounts to borderline results with appendcols. When I put in my query, whichever search I put first (i.e. not the subsearch) I get that output on the timechart. I don't see the subsearch's trendline, even though it shows up in the legend. I think it is because the timechart doesn't span the dates required to view the subsearch.

Query short-hand:

index=myIndex sourcetype=myType earliest=-7d@h latest=now "Query OR This" | rex me.here | timechart span=1d count(account_name) AS This_Week | appendcols [ search maxtime=500 timeout=500 index=myIndex sourcetype=myType  earliest=-14d@h latest=-7d@h "Query OR This" | rex me.here | timechart span=1d count(account_name) AS Last_Week ]

Thanks for the help in advance.

dwaddle
SplunkTrust
SplunkTrust

I would refer to this as a (perhaps) cleaner approach to this: http://splunk-base.splunk.com/answers/2712/line-chart-comparing-yesterdays-result-with-todays-result...

No subsearches or appends are required at all, as long as you are looking at consecutive (days/weeks/months). You will need append to do "first week of this month" compared to "first week of last month"

cburr2012
Path Finder

I assume you were pointing me to the most voted answer? There were quite a few answers in there with different approaches and results. Still tinkering trying to get a solution for this.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...