Compare hourly sums across multiple days
timechart command creates charts that show trends over time. It has strict boundaries limiting what it can do. There are times when you should use the
chart command command, which can provide more flexibility.
This example demonstrates how to use
chart to compare values collected over several days. You cannot do this with
These two searches are almost identical. They both show the hourly sum of the
P field over a 24-hour period. The only difference is that one search covers a period ten days in the past, while the other covers a period nine days into the past:
earliest=-10d latest=-9d | timechart span="1h" sum(P)
earliest=-9d latest=-8d | timechart span="1h" sum(P)
Create a column chart that combines the results of these two searches, so you can see the sum of
P for 3pm, ten days ago side-by-side with the sum of
P for 3pm, nine days ago.
Using the chart command, set up a search that covers both days. Then, create a "sum of P" column for each distinct
date_wday combination found in the search results.
The finished search looks like this:
earliest=-10d latest=-8d | chart sum(P) by date_hour date_wday
This produces a single chart with 24 slots, one for each hour of the day. Each slot contains two columns that enable you to compare hourly sums between the two days covered by the time range of the report.
For a primer on reporting searches and how they're constructed, see "Use reporting commands" in the Search Manual.
For more information about
timechart functions, see "Statistical and charting functions" in the Search Reference.
Build a chart of multiple data series
Drill down on tables and charts
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2106, 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209 (latest FedRAMP release)
Feedback submitted, thanks!