- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Time Chart - Today - Yesterday - Last week - Not 2...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a time chart that looks back over the last 24hr and compares the data to Yesterday and 7 days ago.
My live data is delayed by 2hrs coming into Splunk, I use the below search.
sourcetype="iis-2" earliest=-26h latest=-2h | extract auto=true | search | timechart dc(cs_username) AS Today | appendcols [search earliest=-50h latest=-26h | timechart dc(cs_username) AS Yesterday] | appendcols [search earliest=-194h latest=-170h | timechart dc(cs_username) AS Last_Week]
This is fine but I want to get to the day and not 24hrs from now.
I would like the scale to be 00:00:00 – 23:59:59 (or Hours 1-24) and Yesterday and 7 days ago data to be populated in full, as Today progresses the chart refreshes and populates with Todays data as it comes in.
Thanks,
Dan
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was being a bit of a fool. The below worked for me.
sourcetype="iis-2" earliest=-0d@d latest=+1d@d | extract auto=true | search | timechart dc(cs_username) AS Today | appendcols [search earliest=-3d latest=-2d | timechart dc(cs_username) AS Yesterday] | appendcols [search earliest=-8d latest=-7d | timechart dc(cs_username) AS Last_Week]
I need to edit it a bit further in regards to formatting. The above gives me a time chart for one day with data points every 30mins.
Thanks,
Dan
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was being a bit of a fool. The below worked for me.
sourcetype="iis-2" earliest=-0d@d latest=+1d@d | extract auto=true | search | timechart dc(cs_username) AS Today | appendcols [search earliest=-3d latest=-2d | timechart dc(cs_username) AS Yesterday] | appendcols [search earliest=-8d latest=-7d | timechart dc(cs_username) AS Last_Week]
I need to edit it a bit further in regards to formatting. The above gives me a time chart for one day with data points every 30mins.
Thanks,
Dan
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the response, I could not get this to work.
I think the problem I have is how to select today in the earliest and latest values.
For today I would like it to start at 00:00:00 and end at 23:59:59 and to look at yesterday and 7 days ago.
So at 10 am there will be a complete data set for the entire day for Yesterday and 7 days ago but Today would only have the first 10 hours and more will populate throughout the day.
I expect there is a simple solution but I have missed it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try using the span=1d in timechart. Should solve it
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
