- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Timechart past 24 hours with a 30 day trendline co...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Timechart past 24 hours with a 30 day trendline comparison
I have a timechart where I am getting the average of user actions. What I would like to do is have this run for the past 24 hours but have also the historical 30 day or so trendline incorporated. I was attempting something like the following:
sourcetype="user"
| append [ timechart avg(user_time) by user_componentspan=15m limit=0]
| timechart avg(user_time) by user_component span=4week
| timewrap 4week
This doesnt get to where I want though. Additionally I was thinking of creating a trendline but in trying that I cant get it to go back historically beyond my time-range. Is there a better way to accomplish this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can probably create a saved search which runs every day and fetches last 30 days data and does the stats or timechart and updates a lookup which then you can use in the search which is run for last 24 hours data. The data in the lookup can server your purpose for a trendline . The benefit of doing this way is you dont have to run the search for last 30 days which will slowdown your overall search.
Saved search for the lookup :
index=yourindex earliest=-30d@d
| timechart span=4w dc(hdr.userId) as username by user_component limit=0 | outlookup append=false lookupname.csv
Your search for the dashboard :
`index=yourindex earliest=-24h@h
| timechart span=15m dc(hdr.userId) as username by user_component limit=0 | inputlookup append=true lookupname.csv`
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ideally I did not want to use a lookup. Eventually I would like this fed into a dashboard which has some tokens fed in which would result in multiple lookups being maintained.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Now i get you, if you want to change the time for the trendline dynamically then lookup will not be a good idea.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
what kind of scenarios you can think of which can stop you from using lookup. I understand using multiple looks for doing the similar things is not a good idea.
Introducing the Splunk Community Dashboard Challenge!
Wondering How to Build Resiliency in the Cloud?
Updated Data Management and AWS GDI Inventory in Splunk Observability
