Compare Two Time Ranges in One Report

Recently a customer asked me how to show current data vs. historical data in a single report.  It looks like the report below, where one line represents today’s data and another represents yesterday’s data.  This makes it easy to see the relationship between data over any two time ranges.
Two time ranges on one graph
Here is the basic structure of the two time range search, today vs. yesterday:

Search for stuff yesterday | eval ReportKey=”Yesterday” | modify the “_time” field | append [subsearch for stuff today | eval ReportKey="Today"] | timechart

If you’re not familiar with the “eval”, “timechart”, and “append” commands used above, and the subsearch syntax, here are links to these commands and their associated functions in Splunk’s online documentation:…

» Continue reading
16
February 19, 2012
Posted by Jon Webster in Tips & Tricks
Tags:, , , , , , ,

Splunk Insights