Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Plot graph for previous 2 weekday average

Tester237
Explorer
‎10-03-2023 11:19 PM

Hi, I'm trying to plot graph for previous 2 weekday average. Below is the query used

index="xyz"  sourcetype="abc" app_name="123" or "456" earliest=-15d@d latest=now | rex field=msg "\"[^\"]*\"\s(?<status>\d+)"
| eval HTTP_STATUS_CODE=case(like(status, "2__"),"2xx") 
| eval current_day = strftime(now(), "%A") 
| eval log_day = strftime(_time, "%A") 
| where current_day == log_day
| eval hour=strftime(_time, "%H")
| eval day=strftime(_time, "%d")
| stats count by hour day HTTP_STATUS_CODE 
| chart avg(count) as average by hour HTTP_STATUS_CODE

 This plots grpah for complete 24hrs. 

Tester237_0-1696400235930.png


I wanted to know if I can limit the graph to current timestamp. Say now system time is 11AM. I want graph to be plotted only upto 11AM and not entire 24hrs. Can it be done ? Please advice

Labels (4)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎10-04-2023 12:45 AM

Just to be clear, you are thinking of previous 2-week average by hour of day, not previous 2 weekday average.  Correct?

index="xyz"  sourcetype="abc" app_name="123" or "456" earliest=-15d@d latest=now | rex field=msg "\"[^\"]*\"\s(?<status>\d+)"
| eval current_day = strftime(now(), "%A") 
| eval log_day = strftime(_time, "%A") 
```| where current_day == log_day```
| eval hour=strftime(_time, "%H")
| eval current_hour = strftime(now(), "%H") 
| where hour <= current_hour
| eval day=strftime(_time, "%d")
| stats count by hour day HTTP_STATUS_CODE
| chart avg(count) as average by hour HTTP_STATUS_CODE

Note you cannot have | where current_day == log_day and still get average across multiple days.

Reply

Tester237
Explorer
‎10-04-2023 04:59 AM

@yuanliu I'm looking for previous 2 "weekday" average. 

Consider, today is "Wednesday". I want to plot avg of previous 2 Wednesday's as a comparison against live data. 

Along with this, how can the search be only limited to the time range selected from the time picker ? 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...