I am trying to create a line chart showing results from today compared to a week ago. I searched answers but still haven't got it to work. We are running Splunk 4.2.5.
I also looked at the blog at: Blog
Here is my query:
index=_audit earliest=-0d@d latest=now savedsearch_name=*
| eval searchStartTime=strptime(apiStartTime, "'%a %B %d %H:%M:%S %Y'")
| eval searchEndTime=strptime(apiEndTime, "'%a %B %d %H:%M:%S %Y'")
| eval searchExecuteTime=_time
| eval deltaFromEnd=searchExecuteTime - searchStartTime
| eval ReportKey="Today"
| append [search index=_audit earliest=-7d@d latest=-6d@d savedsearch_name=*
| eval searchStartTime2=strptime(apiStartTime, "'%a %B %d %H:%M:%S %Y'")
| eval searchEndTime2=strptime(apiEndTime, "'%a %B %d %H:%M:%S %Y'")
| eval searchExecuteTime2=_time
| eval deltaFromEnd=searchExecuteTime2 - searchStartTime2
| eval ReportKey="Last Week"
| eval new_time=_time+604800 ]
| eval _time=if(isnotnull(new_time), new_time, _time)
| timechart span=15m median(deltaFromEnd) by ReportKey
Try this approach instead :
index=_internal sourcetype=splunkd eps > 0 | addinfo
| eval date_wnum=strftime(_time, "%V")
| eval date_wnum_now=strftime(info_max_time, "%V")
| eval _time=_time+(date_wnum_now-date_wnum)*86400*7
| eval date_wnum=if(date_wnum==date_wnum_now,"This week",(date_wnum_now-date_wnum)." weeks ago")
| bin _time span=1h
| chart avg(eps) over _time by date_wnum
| makecontinuous _time
You can just alter your search range and it'll cope with it rather than having to alter your search all the time.
Thats because the example uses a search with lots and lots of data.
Doesn't appear to be working very well. Really, really slow.
Thanks for the suggestion.