Splunk® Enterprise

# Compare hourly sums across multiple days

The timechart command creates charts that show trends over time. It has strict boundaries limiting what it can do. There are times when you should use the chart command command, which can provide more flexibility.

This example demonstrates how to use chart to compare values collected over several days. You cannot do this with timechart

## Scenario

These two searches are almost identical. They both show the hourly sum of the P field over a 24-hour period. The only difference is that one search covers a period ten days in the past, while the other covers a period nine days into the past:

Search 1:

earliest=-10d latest=-9d | timechart span="1h" sum(P)

Search 2:

earliest=-9d latest=-8d | timechart span="1h" sum(P)

Create a column chart that combines the results of these two searches, so you can see the sum of P for 3pm, ten days ago side-by-side with the sum of P for 3pm, nine days ago.

## Solution

Using the chart command, set up a search that covers both days. Then, create a "sum of P" column for each distinct date_hour and date_wday combination found in the search results.

The finished search looks like this:

earliest=-10d latest=-8d | chart sum(P) by date_hour date_wday

This produces a single chart with 24 slots, one for each hour of the day. Each slot contains two columns that enable you to compare hourly sums between the two days covered by the time range of the report.

For a primer on reporting searches and how they're constructed, see "Use reporting commands" in the User Manual.

For more information about chart> and timechart functions, see "Functions for stats, chart, and timechart" in the Search Reference Manual.

 PREVIOUS Build a chart of multiple data series NEXT About real-time searches and reports

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14

Bertdg, thanks for catching that! I've corrected it to read "date_wday".

Sophy
May 14, 2014

chart by date_hour date_day doesn't seem valid. date_day is not a variable

Bertdg
May 13, 2014