topic Re: Comparing results from two different dates in Splunk Search

Comparing results from two different dates

matthew_foos — Wed, 17 Jan 2018 17:17:40 GMT

Hello all,

Search string:
index=blahblah host=blahblah
| fields host, EventCode
| stats count by host, EventCode
| sort - count
| where count > 200

I'm trying to compare the results of this search for the following dates in one report:
1-4-2018 and 1-5-2018

Re: Comparing results from two different dates

matthew_foos — Wed, 17 Jan 2018 17:39:08 GMT

Answered my own question:

| timechart span=1d count by EventCode

Re: Comparing results from two different dates

mayurr98 — Wed, 17 Jan 2018 18:12:17 GMT

you can try something like this

|multisearch [search index=blahblah host=blahblah earliest=1515004200 latest=1515090600 | eval date="1/4/2018"] [search index=blahblah host=blahblah earliest=1515090600 latest=1515177000 | eval date="1/5/2018"] | fields host, EventCode
| stats count by host, EventCode date
| sort - count
| where count > 200

index=blahblah host=blahblah earliest=1515004200 latest=1515177000 | bin _time span=1d
| fields host, EventCode
| stats count by host, EventCode _time
| sort - count
| where count > 200

let me know if this helps !

Re: Comparing results from two different dates

richgalloway — Wed, 17 Jan 2018 18:49:38 GMT

@matthew.foos if your problem is resolved, please accept an answer to help future readers.