Compare Two Time Ranges in One Report
Recently a customer asked me how to show current data vs. historical data in a single report. It looks like the report below, where one line represents today’s data and another represents yesterday’s data. This makes it easy to see the relationship between data over any two time ranges.
Here is the basic structure of the two time range search, today vs. yesterday:
Search for stuff yesterday | eval ReportKey=”Yesterday” | modify the “_time” field | append [subsearch for stuff today | eval ReportKey="Today"] | timechart
If you’re not familiar with the “eval”, “timechart”, and “append” commands used above, and the subsearch syntax, here are links to these commands and their associated functions in Splunk’s online documentation: