Solved: Comparing last year to this year

JovanMilosevic · ‎09-17-2012

Hi,

I have 3 single values displaying YTD, MTD and Today's figures.

What I'd like to do is have another 3 single values that give last year's equivalent figures, i.e.

Jan 1 to Sept 17 2011 inclusive, Sept 1 to Sept 17 2011 inclusive, and Sept 17 2011.

Just can't seem to work out what time modifiers I should use.

Thanks in advance.

MuS · ‎09-17-2012

Hi JovanMilosevic

try the following time setting after your search string:

Jan 1 to Sept 17 2011 inclusive -> earliest=-y@y latest=-y@+d@d

Sept 1 to Sept 17 2011 inclusive -> earliest=-y@mon latest=-y@+d@d

Sept 17 2011 -> earliest=-y@d@d latest=-y@+d@d

cheers,

MuS

View solution in original post

MuS · ‎09-17-2012

Hi JovanMilosevic

try the following time setting after your search string:

Jan 1 to Sept 17 2011 inclusive -> earliest=-y@y latest=-y@+d@d

Sept 1 to Sept 17 2011 inclusive -> earliest=-y@mon latest=-y@+d@d

Sept 17 2011 -> earliest=-y@d@d latest=-y@+d@d

cheers,

MuS

MuS · ‎09-17-2012

yes, the last @d snaps to the current day, without it it uses the actual time. you can test it in the manager by clicking the timepicker and use the advanced search language. the docs about the time range are here http://docs.splunk.com/Documentation/Splunk/4.3.4/User/ChangeTheTimeRangeOfYourSearch

JovanMilosevic · ‎09-17-2012

Thanks for this. For the Sep 17 search, is it possible to get the search to retrieve records for up to the current time on that day, rather than the whole day ?

Comparing last year to this year

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk