How to create a week over week chart comparison fr...

craighawk · ‎08-24-2012

index=data du= host= | timechart count by opp

or

index=data du= host=

I am useing version 4.3.2, build 123586

I have been trying to figure out how to make a chart with the current day/time compared to one week ago same day and time.

I have left out the dozens of variations I've tried to spare other newbies like myself the frustration of working through them only to find they didn't work.

** I used "all" since the asterisk wasn't being displayed.

lakromani · ‎03-06-2017

An old thread, but Splunk has now a better way to do this, using Timewrap
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Timewrap

Try this:

index=_internal sourcetype=splunkd eps>0 earliest=-1mon latest=now
| timechart avg(eps) span=1h 
| timewrap 1w

chris_lewis · ‎05-16-2013

How would you achieve the same results but on the same x axis? So that the X axis just had the day of the week -> mon,tues,weds

and then have numerous lines for this week and 1 week ago?

That would be a lot better.

craighawk · ‎08-27-2012

Hello Kallu, I was able to get my question answered. This worked for me:

jonuwz · ‎08-26-2012

Something like this maybe, it doesn't take into account timezone changes, leap years etc.

index=_internal sourcetype=splunkd eps > 0 | addinfo 
| eval date_wnum=strftime(_time, "%V") 
| eval date_wnum_now=strftime(info_max_time, "%V")
| eval _time=_time+(date_wnum_now-date_wnum)*86400*7  
| eval date_wnum=if(date_wnum==date_wnum_now,"This week",(date_wnum_now-date_wnum)." weeks ago")
| bin _time span=1h
| chart avg(eps) over _time by date_wnum
| makecontinuous _time

It works by shifting previous weeks data into this week, but tagging it as "X weeks ago"
I use chart instead of timechart because timechart would plot the entire date range in the search, but because everything is timeshifted, all the data would be crammed at the end of the chart.

You need | makecontinuous _time

So that the JSchart prints reasonable 'time' values, instead of XML stype time values.

craighawk · ‎08-27-2012

Great, that looks like it works! Thanks a lot.

kallu · ‎08-26-2012

How does your data look? If you already have "du" -field in it I don't see any need for "multikv" -commands in your search. Also in your original example you were counting number of events by opp(?) but then you have changed it to be hourly average of du -field. Was this done on purpose? Does your search/charting work for today and week-ago if you run them separately?

craighawk · ‎08-24-2012

And it isn't showing up on a fancy chart like in the examples:

http://blogs.splunk.com/2012/02/19/compare-two-time-ranges-in-one-report/

craighawk · ‎08-24-2012

Getting strange output and no legend stating "today" and "yesterday".

** 'du' values are different integers.

How to create a week over week chart comparison from current time

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life