Compare hourly sums across multiple days
The timechart command
creates charts that show trends over time. It has strict boundaries limiting what it can do. There are times when you should use the chart command
command, which can provide more flexibility.
This example demonstrates how to use chart
to compare values collected over several days. You cannot do this with timechart
Scenario
These two searches are almost identical. They both show the hourly sum of the P
field over a 24-hour period. The only difference is that one search covers a period ten days in the past, while the other covers a period nine days into the past:
Search 1:
earliest=-10d latest=-9d | timechart span="1h" sum(P)
Search 2:
earliest=-9d latest=-8d | timechart span="1h" sum(P)
Create a column chart that combines the results of these two searches, so you can see the sum of P
for 3pm, ten days ago side-by-side with the sum of P
for 3pm, nine days ago.
Solution
Using the chart command, set up a search that covers both days. Then, create a "sum of P" column for each distinct date_hour
and date_wday
combination found in the search results.
The finished search looks like this:
earliest=-10d latest=-8d | chart sum(P) by date_hour date_wday
This produces a single chart with 24 slots, one for each hour of the day. Each slot contains two columns that enable you to compare hourly sums between the two days covered by the time range of the report.
For a primer on reporting searches and how they're constructed, see "Use reporting commands" in the Search Manual.
For more information about chart>
and timechart
functions, see "Statistical and charting functions" in the Search Reference.
Build a chart of multiple data series | Drill down on tables and charts |
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release), 9.3.2408
Feedback submitted, thanks!