Add previous week to line chart for comparison

davidsplunk123 · ‎02-28-2018

I have this below search and would like to add another line to include the week previous showing how it compares with the last 7 days.

index=summary report=otl_engineering_jiracsatresults Key="**" Assignee="**" Classification="**"
| dedup Key 
| eval dateEpoch = strptime(Date, "%Y-%m-%d %H:%M") 
| eval today = now() 
| eval daysAgo = round(((today - dateEpoch)/60/60/24), 0) 
| rex field=Date "(?<day>^\d{4}-\d{2}-\d{2}) \d{2}:\d{2}$"
| table Key, Summary, Reporter, Assignee, Classification, "CSAT Rate", "CSAT Rating Comment", Date, daysAgo, day
|  search daysAgo <= 7 
| stats avg("CSAT Rate") as AverageCustomerRating by day

cmerriman · ‎02-28-2018

what version of Splunk are you using? newer versions of Splunk (6.5+, I believe) have a command called timewrap

https://docs.splunk.com/Documentation/Splunk/6.6.0/SearchReference/Timewrap

if you do something ilke:

index=summary report=otl_engineering_jiracsatresults Key="**" Assignee="**" Classification="**"
 | dedup Key 
 | eval dateEpoch = strptime(Date, "%Y-%m-%d %H:%M") 
 | eval today = now() 
 | eval daysAgo = round(((today - dateEpoch)/60/60/24), 0) 
 | rex field=Date "(?<day>^\d{4}-\d{2}-\d{2}) \d{2}:\d{2}$"
 | table Key, Summary, Reporter, Assignee, Classification, "CSAT Rate", "CSAT Rating Comment", Date, daysAgo, day dateEpoch
 | eval _time=dateEpoch
 |  search daysAgo <= 14 
 | timechart span=1d avg("CSAT Rate") as AverageCustomerRating 
 | timewrap 1week

there is also a timewrap app, if you're on an older version of splunk https://splunkbase.splunk.com/app/1645/

Add previous week to line chart for comparison

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases