https://community.splunk.com/t5/Splunk-Search/comparing-two-values-of-Today-and-Yesterday/m-p/118740#M31739 <P>Hi abhayneilam,</P> <P>take a look at the <A href="http://apps.splunk.com/app/1645/">timewrap</A> app which will provide a new search command to do exactly those kind of time to time compares.</P> <P>cheers, MuS</P> Thu, 03 Apr 2014 13:16:17 GMT MuS 2014-04-03T13:16:17Z https://community.splunk.com/t5/Splunk-Search/comparing-two-values-of-Today-and-Yesterday/m-p/118739#M31738 <P>Hi,</P> <P>I have two searches , I want to compare one with other, one search should run for "Today" and other should run for "Yesterday", so I have used earliest=@d latest=now for "Today" and <BR /> earliest=-1d@d latest=@d for "Yesterday" data, but here is one catch that it is not good to compare the data in this case because "Yesterday" is having full last 24 hours data and "Today" is having only the data till when I am running the query ( lets say 10 hours data ) , If I execute "Today" query it will be 12 hours data comparing with 24 hours data ...</P> <P>So, I want to make my query as such that it should compare today's 12 hours data with yesterday's 12 hours data.</P> <P>Need your help in doing that !! Please suggest me some solution.</P> <P>Thanks in advance !!</P> Thu, 03 Apr 2014 13:09:20 GMT https://community.splunk.com/t5/Splunk-Search/comparing-two-values-of-Today-and-Yesterday/m-p/118739#M31738 abhayneilam 2014-04-03T13:09:20Z https://community.splunk.com/t5/Splunk-Search/comparing-two-values-of-Today-and-Yesterday/m-p/118740#M31739 <P>Hi abhayneilam,</P> <P>take a look at the <A href="http://apps.splunk.com/app/1645/">timewrap</A> app which will provide a new search command to do exactly those kind of time to time compares.</P> <P>cheers, MuS</P> Thu, 03 Apr 2014 13:16:17 GMT https://community.splunk.com/t5/Splunk-Search/comparing-two-values-of-Today-and-Yesterday/m-p/118740#M31739 MuS 2014-04-03T13:16:17Z https://community.splunk.com/t5/Splunk-Search/comparing-two-values-of-Today-and-Yesterday/m-p/118741#M31740 <P>You could use <CODE>earliest=@d latest=@h</CODE> for Today and <CODE>earliest=-1d@d latest=-24h@h</CODE> for Yesterday. Or <CODE>earliest=@d latest=@m</CODE> for Today and <CODE>earliest=-1d@d latest=-1440m@m</CODE> for Yesterday.</P> Thu, 03 Apr 2014 13:18:31 GMT https://community.splunk.com/t5/Splunk-Search/comparing-two-values-of-Today-and-Yesterday/m-p/118741#M31740 richgalloway 2014-04-03T13:18:31Z https://community.splunk.com/t5/Splunk-Search/comparing-two-values-of-Today-and-Yesterday/m-p/118742#M31741 <P>Thinking a bit about this request I came up with this run everywhere command:</P> <P><CODE>index=_internal ealiest=-25h@h | stats count(date_hour) as hourly_count by date_hour, date_wday</CODE></P> <P>this will count all events per hour in the last 25 hours and group them per hour per day. Just adapt it to your needs, like filter the date_hour you need.</P> Thu, 03 Apr 2014 13:44:12 GMT https://community.splunk.com/t5/Splunk-Search/comparing-two-values-of-Today-and-Yesterday/m-p/118742#M31741 MuS 2014-04-03T13:44:12Z https://community.splunk.com/t5/Splunk-Search/comparing-two-values-of-Today-and-Yesterday/m-p/118743#M31742 <P>Try something like this </P> <PRE><CODE>| multisearch [search index=_internal earliest=@d latest=now | eval day="Today"] [search index=_internal [search index=_internal earliest=@d latest=now | head 1 | addinfo | eval latest=info_max_time-86400 | eval earliest=info_min_time-86400 | table earliest, latest| format "" "" " " "" "" ""] | eval day="Yesterday"]... </CODE></PRE> <P>This query can compare data from Today's hours (if ran at 04/03/2014 10:00 AM, then 04/03/2014 0:00 AM to 04/03/2014 10:00 AM) with exact same hour's from yesterday (04/02/2014 00:00 AM to 04/02/2014 10:00 AM).</P> Thu, 03 Apr 2014 14:13:14 GMT https://community.splunk.com/t5/Splunk-Search/comparing-two-values-of-Today-and-Yesterday/m-p/118743#M31742 somesoni2 2014-04-03T14:13:14Z