https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-create-a-search-query-that-would-make-a-dynamic/m-p/456348#M129012 <P>Hi @sager_shubham,</P> <P>did you try out Skoelpin's suggestion? Did it work? Let us know, so we can convert it to answer, and then you can approve it! Thanks.</P> Wed, 12 Sep 2018 19:36:58 GMT mstjohn_splunk 2018-09-12T19:36:58Z https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-create-a-search-query-that-would-make-a-dynamic/m-p/456344#M129008 <P>I wrote the following query for today's comparison with last week:</P> <PRE><CODE>index = abc App_Name=xyz earliest=-0d@d latest=now | multikv | eval ReportKey="Today"|append[search index = abc App_Name=xyz earliest=-7d@d latest=-6d@d | multikv | eval ReportKey="LastWeek"| eval _time=_time+60*60*24*7]|eval _time=if(isnotnull(new_time), new_time, _time)|timechart span=5m sum(TOTAL_TRANSACTIONS) as Transactions by ReportKey </CODE></PRE> <P>I want the query to do the following: allow someone to view the comparison of yesterday's data and last week's(considering yesterday to its one week data), or the "day before yesterday" to its corresponding "last week" data, and so on.</P> <P>So, could you please help how can i write the query for that?</P> Wed, 12 Sep 2018 11:09:39 GMT https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-create-a-search-query-that-would-make-a-dynamic/m-p/456344#M129008 sagar_shubham 2018-09-12T11:09:39Z https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-create-a-search-query-that-would-make-a-dynamic/m-p/456345#M129009 <P>You should use <CODE>relative_time</CODE> or <CODE>timewrap</CODE> to do this. It will be much cleaner</P> Wed, 12 Sep 2018 11:55:21 GMT https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-create-a-search-query-that-would-make-a-dynamic/m-p/456345#M129009 skoelpin 2018-09-12T11:55:21Z https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-create-a-search-query-that-would-make-a-dynamic/m-p/456346#M129010 <P>could you please refer me with an example<BR /> ?</P> Wed, 12 Sep 2018 13:11:46 GMT https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-create-a-search-query-that-would-make-a-dynamic/m-p/456346#M129010 sagar_shubham 2018-09-12T13:11:46Z https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-create-a-search-query-that-would-make-a-dynamic/m-p/456347#M129011 <P>A quick and dirty way would be to use <CODE>timewrap</CODE> like this.</P> <PRE><CODE>index = abc App_Name=xyz | timechart span=5m sum(TOTAL_TRANSACTIONS) as Transactions by ReportKey | timewrap 1d </CODE></PRE> <P>If this doesn't work then you will need to use relative time like this </P> <PRE><CODE>index = abc App_Name=xyz | eval today=relative_time(now(),"-d@d") | eval yesterday=relative_time('today', "-d@d") </CODE></PRE> Wed, 12 Sep 2018 13:47:42 GMT https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-create-a-search-query-that-would-make-a-dynamic/m-p/456347#M129011 skoelpin 2018-09-12T13:47:42Z https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-create-a-search-query-that-would-make-a-dynamic/m-p/456348#M129012 <P>Hi @sager_shubham,</P> <P>did you try out Skoelpin's suggestion? Did it work? Let us know, so we can convert it to answer, and then you can approve it! Thanks.</P> Wed, 12 Sep 2018 19:36:58 GMT https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-create-a-search-query-that-would-make-a-dynamic/m-p/456348#M129012 mstjohn_splunk 2018-09-12T19:36:58Z