topic Re: Subsearching within time frame in Splunk Search

Subsearching within time frame

barakb — Sun, 25 Oct 2020 22:55:28 GMT

Hi everyone,

I'm new to Splunk. I've got this search query:

host="..." earliest=-30d latest=now | stats distinct_count(v_id) AS v_id count(eval(req_type="[POST])) AS req_type by host | eval ratio =v_id/req_type

What I want to get a table with v_id and req_type of the earlier week and of the current week (currently I get only for the whole month). Moreover, if there is a better, easier to do this, please also share. Thanks!

Re: Subsearching within time frame

ITWhisperer — Sun, 25 Oct 2020 23:14:53 GMT

host="..." earliest=-30d latest=now | bin span=7d _time | stats distinct_count(v_id) AS v_id count(eval(req_type="[POST])) AS req_type by host _time | eval ratio =v_id/req_type

Setting the span to 7 days will bin from the earliest and given the 30 does not divide by 7 exactly, your latest bin will only contain counts for 2 days (which might not be what you want). Either change earliest to -28d@d or latest to -2d@d

Re: Subsearching within time frame

barakb — Mon, 26 Oct 2020 10:55:59 GMT

Yes! that what I was looking for! Thanks! @ITWhisperer , another question, see the screenshot I've attached, say I want to have the results as another 2 columns (e.g pastVisits and pastFinishedVisits). Taking visits for example, 'pastVisits' would represent visit that have happened 30 to 15 days ago, and 'visits' represents visits that have happened15 days ago until current day. How do I do that?

Re: Subsearching within time frame

ITWhisperer — Mon, 26 Oct 2020 11:20:44 GMT