I successfully put together a graph that compares bandwidth consumption over a period of time (currently hardcoded to 60 minutes) with that of the previous week.
Now having troubles hooking my query up with the time range picker on Splunk Dashboard:
My current query looks like:
```
index=xxx earliest=-60m@m latest=-0m@m |eval period="today"
| append [search index=xxx earliest=-10140m@m latest=-10080m@m | eval period="last_week"
| eval new_time=_time+(60*60*24*7)]
| eval _time=if(isnotnull(new_time), new_time, _time)
| timechart span=5m sum(bytes) by period
```
While researching how to, I found these posts:
https://answers.splunk.com/answers/453444/how-to-input-time-using-earliest-and-latest-tokens.html
https://answers.splunk.com/answers/475557/how-to-dynamically-compare-two-time-ranges.html
Then made the following changes:
```
index=xxx
| eval earliest=if(isnum("$time_token.earliest$"), "$time_token.earliest$", relative_time(now(), "$time_token.earliest$"))
| eval latest=if(isnum("$time_token.latest$"), "$time_token.latest$", relative_time(now(), "$time_token.latest$"))
| eval period="today"
| append [search index=xxx |eval earlist=if(isnum("$time_token.earliest$"), relative_time("$time_token.earliest$", "-10080m@m"), relative_time(relative_time(now(), "$time_token.earliest$"), "-10080m@m"))
| eval latest=if(isnum("$time_token.latest$"), relative_time("$time_token.latest$", "-10080m@m"), relative_time(relative_time(now(), "$time_token.latest$"), "-10080m@m"))
| eval period="last_week"
| eval new_time=_time+(60*60*24*7)]
| eval _time=if(isnotnull(new_time), new_time, _time)
| timechart span=5m sum(bytes) by period
```
Unfortunately, my graph does not look right. Appears its in a 7 days time range and it seems like they are sum up the same data bytes. See image below.
Anyone with ideas? Thanks in advance.
![alt text][1]
[1]: /storage/temp/255871-screen-shot-2018-08-30-at-50043-pm.png
↧