All Apps and Add-ons

How to create a timechart to compare data from two different time ranges?

muralianup
Communicator

Working on a search where data from 2 different time range is to be compared and displayed on time chart. I have 2 searches which pulls number of events with timespan =1d, now I have to compare the values between those ranges.

Search 1: index=firewall dest_port=22 earliest=-39d@d latest=-21d@d |  timechart span=1d count
Search 2: index=firewall dest_port=22 earliest=-21d@d latest=now | timechart span=1d count

So what I am trying to do is look at the port activity from 2 weeks (lets say End of April - Mid May and Mid May to until now) then compare the activity.

I looked at some of the previous posts and blogs, eeven used the timewrap (probably not the right way) but didnt quite worked out.

0 Karma

kmorris_splunk
Splunk Employee
Splunk Employee

This is similar to an example in the Exploring Splunk book https://www.splunk.com/pdfs/exploring-splunk.pdf

sourcetype=access_combined earliest=-2d@d latest=@d
 | eval marker = if (_time < relative_time(now(), "-1d@d"),
 "last week", "this week")
 | eval _time = if (marker=="last week",
 _time + 24*60*60, _time)
 | timechart avg(bytes) by marker

Modify it to fit your time frames and your base search, but the concept should help you.

0 Karma

muralianup
Communicator

How about timewrap ? Which one will be more efficient ?

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...