topic Re: Apply the same query to multiple days given day interval in Splunk Search

Apply the same query to multiple days given day interval

pedropiin — Fri, 14 Feb 2025 15:03:21 GMT

Hi everyone.

I have a query that calculates a number of metrics, such as average, max value, etc, for a specific date, given an interval from a dropdown menu. All the metrics are then output in a table, in which a row represents one day and the columns are the metrics itself.
I need to apply the same query to a number of days given an interval and output the result of each day as a new row on the column. For example, if the user queries through the past 5 days, I need five rows, each with the metrics associated only to the data from that day.

How could I do this?

Re: Apply the same query to multiple days given day interval

gcusello — Fri, 14 Feb 2025 15:07:34 GMT

Hi @pedropiin ,

you have to run something like this:

<your_search> | bin span=1d _time | stats sum(metric1) AS metric1 sum(metric2) AS metric2 sum(metric3) AS metric3 BY day

I could be more detailed is you share more information about your data.

Ciao.

Giuseppe

Re: Apply the same query to multiple days given day interval

pedropiin — Fri, 14 Feb 2025 16:54:17 GMT

Hi @gcusello. Thank you for your answer

But it doesn't seem to work...
Unfortunately I can't share information as it is sensitive, but it goes along the line of what you used as an example.

My whole query is of the form:

But it doesn't seem to work. I've already tried both with one day and with a bigger interval, but they all result in "No results found".

I can guarantee that this query should return results because when I run it for only day without the "bin" command, it gives me the correct answer.

What am I doing wrong?

Thank you in advance.

Re: Apply the same query to multiple days given day interval

gcusello — Sat, 15 Feb 2025 08:11:09 GMT

Hi @pedropiin ,

you stats and bin statemets are wrong, please try this:

About sensitive information, you can mask them, for me it's interesting only the event structure and the field extractions.

Ciao.

Giuseppe

Re: Apply the same query to multiple days given day interval

PickleRick — Sat, 15 Feb 2025 12:06:27 GMT

Ok. If your initial stats doesn't include _time field, there's nothing to bin. That's why you're getting no results.