Splunk® Light (Legacy)

Search and Reporting Examples

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF

Compare week over week results using Splunk Light

Task

Determine how this week's average download compare with last week's results.

Solutions

1. Find events in the total time period.

In this case, the time period is two weeks. Use time modifiers in your search.

earliest=-2w@w latest=@w

2. Differentiate events between the two weeks.

Use the eval command to create new fields, "this week" and "last week".

earliest=-2w@w latest=@w | eval marker=if (_time<relative_time(now(),"-w@w"), "last week","this week")

3. To graph the two weeks on the same time range, adjust last week's events to look like they occurred this week.

earliest=-2w@w latest=@w | eval marker=if (_time<relative_time(now(),"-w@w"), "last week","this week") | eval _time=if(marker=="last week", _time + 7*24*60*60, _time)

4. Chart the average download for each week.

earliest=-2w@w latest=@w | eval marker=if (_time<relative_time(now(),"-w@w"), "last week","this week") | eval _time=if(marker=="last week", _time + 7*24*60*60, _time) | timechart avg(bytes) by marker

This produces a timechart with two series, "last week" and "this week".

Last modified on 13 April, 2016
PREVIOUS
Calculate and chart statistics using Splunk Light
  NEXT
Report on failed login attempts using Splunk Light

This documentation applies to the following versions of Splunk® Light (Legacy): 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.1612 (cloud service only), 6.6.0, 6.6.1, 6.6.2, 6.6.3, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters