topic Re: How to search the count of an event for the last sixty minutes, and the count of the same event for the same hour yesterday? in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-to-search-the-count-of-an-event-for-the-last-sixty-minutes/m-p/237497#M70579 <PRE><CODE>your search earliest=-60m@m latest=@m| stats min(_time) as _time count as Count | eval Day="Today" | fields Day, _time, Count | append [ search your search earliest=-1d@m-60m latest=-1d@m | stats min(_time) as _time count as Count | eval Day="Yesterday" | fields Day, _time, Count ] </CODE></PRE> Fri, 07 Oct 2016 23:48:28 GMT twinspop 2016-10-07T23:48:28Z How to search the count of an event for the last sixty minutes, and the count of the same event for the same hour yesterday? https://community.splunk.com/t5/Splunk-Search/How-to-search-the-count-of-an-event-for-the-last-sixty-minutes/m-p/237495#M70577 <P>How to get the count of an event (say logins) in last sixty minutes and the count of same event for same hour yesterday? Result should be as:</P> <P>Today hh:mm:ss Count<BR /> Yesterday hh:mm:ss Count</P> Fri, 07 Oct 2016 23:41:19 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-the-count-of-an-event-for-the-last-sixty-minutes/m-p/237495#M70577 govindsinghrawa 2016-10-07T23:41:19Z Re: How to search the count of an event for the last sixty minutes, and the count of the same event for the same hour yesterday? https://community.splunk.com/t5/Splunk-Search/How-to-search-the-count-of-an-event-for-the-last-sixty-minutes/m-p/237496#M70578 <P>Try this</P> <PRE><CODE>base search earliest=-1d@d | eval when=if(_time&gt;relative_time(now(), "@d"), "Today", "Yesterday") | eval t=strftime(_time, "%H") | chart count over t by when </CODE></PRE> Fri, 07 Oct 2016 23:47:17 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-the-count-of-an-event-for-the-last-sixty-minutes/m-p/237496#M70578 sundareshr 2016-10-07T23:47:17Z Re: How to search the count of an event for the last sixty minutes, and the count of the same event for the same hour yesterday? https://community.splunk.com/t5/Splunk-Search/How-to-search-the-count-of-an-event-for-the-last-sixty-minutes/m-p/237497#M70579 <PRE><CODE>your search earliest=-60m@m latest=@m| stats min(_time) as _time count as Count | eval Day="Today" | fields Day, _time, Count | append [ search your search earliest=-1d@m-60m latest=-1d@m | stats min(_time) as _time count as Count | eval Day="Yesterday" | fields Day, _time, Count ] </CODE></PRE> Fri, 07 Oct 2016 23:48:28 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-the-count-of-an-event-for-the-last-sixty-minutes/m-p/237497#M70579 twinspop 2016-10-07T23:48:28Z Re: How to search the count of an event for the last sixty minutes, and the count of the same event for the same hour yesterday? https://community.splunk.com/t5/Splunk-Search/How-to-search-the-count-of-an-event-for-the-last-sixty-minutes/m-p/237498#M70580 <P>we can use date_hour and solve this specific timeframe issue.<BR /> Try this one -</P> <P>index=main sourcetype=yourSourcetype earliest=-2d latest=now (date_hour &gt; 1 OR date_hour &lt; 2) | chart count(Failure) by host</P> <P>Instead of chart, you use <BR /> |stats count AS Count</P> <P>The date_hour, earliest /latest, combinations can be fine tuned.</P> Tue, 29 Sep 2020 11:20:04 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-the-count-of-an-event-for-the-last-sixty-minutes/m-p/237498#M70580 inventsekar 2020-09-29T11:20:04Z Re: How to search the count of an event for the last sixty minutes, and the count of the same event for the same hour yesterday? https://community.splunk.com/t5/Splunk-Search/How-to-search-the-count-of-an-event-for-the-last-sixty-minutes/m-p/237499#M70581 <P>getting data for all hours and not just one hour of today and yesterday same hour</P> Sat, 08 Oct 2016 00:10:28 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-the-count-of-an-event-for-the-last-sixty-minutes/m-p/237499#M70581 govindsinghrawa 2016-10-08T00:10:28Z Re: How to search the count of an event for the last sixty minutes, and the count of the same event for the same hour yesterday? https://community.splunk.com/t5/Splunk-Search/How-to-search-the-count-of-an-event-for-the-last-sixty-minutes/m-p/237500#M70582 <P>seems to work, thanks</P> Sat, 08 Oct 2016 00:10:58 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-the-count-of-an-event-for-the-last-sixty-minutes/m-p/237500#M70582 govindsinghrawa 2016-10-08T00:10:58Z Re: How to search the count of an event for the last sixty minutes, and the count of the same event for the same hour yesterday? https://community.splunk.com/t5/Splunk-Search/How-to-search-the-count-of-an-event-for-the-last-sixty-minutes/m-p/237501#M70583 <P>will it not just return for 1st and 2nd hour and not for 60 minutes ago from now. I will try though but seems not to be complete. Thanks a lot for helping out though</P> Sat, 08 Oct 2016 00:17:01 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-the-count-of-an-event-for-the-last-sixty-minutes/m-p/237501#M70583 govindsinghrawa 2016-10-08T00:17:01Z Re: How to search the count of an event for the last sixty minutes, and the count of the same event for the same hour yesterday? https://community.splunk.com/t5/Splunk-Search/How-to-search-the-count-of-an-event-for-the-last-sixty-minutes/m-p/237502#M70584 <P>I don't ever trust date_hour. Lots of past discussion on this. Search the archives.</P> Sat, 08 Oct 2016 01:13:06 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-the-count-of-an-event-for-the-last-sixty-minutes/m-p/237502#M70584 twinspop 2016-10-08T01:13:06Z Re: How to search the count of an event for the last sixty minutes, and the count of the same event for the same hour yesterday? https://community.splunk.com/t5/Splunk-Search/How-to-search-the-count-of-an-event-for-the-last-sixty-minutes/m-p/237503#M70585 <P>Lets assume that the event you have can be uniquely identified by <STRONG><EM>yourBaseSearch</EM></STRONG>, so your base search should return you unique events for whatever you are counting, then search twice and append them.</P> <OL> <LI>One search to return today's count for an hour ago <PRE> yourBaseSearch earliest=-60m latest=now() |fields anyFieldOfyoursToEnsureCountingOfEvents | timechart span=1m count | eval _time=_time-now()%3600 | timechart span=1h sum(count) as count | tail 3 | tail 2 | eval _time=_time+now()%3600 |tail 1 </PRE></LI> <LI><P>SubSearch to return yesterday's count by shifting earliest and latest by 25 and 24 hours(in minutes to be accurate till minutes):<BR /> <PRE><BR /> search yourBaseSearchAgain earliest=-1500m latest=-1440m <BR /> | timechart span=1m count <BR /> | eval _time=_time-now()%3600 <BR /> | timechart span=1h sum(count) as count <BR /> | tail 3 | tail 2 <BR /> | eval _time=_time+now()%3600<BR /> |tail 1<BR /> </PRE></P></LI> <LI><P>Append search 1 and 2</P></LI> </OL> <PRE> search1Above |append [search2Above] |sort +_time </PRE> <P><STRONG>NOTE:</STRONG> _time=_time-now()%3600 is given just to push the time in display to return the time correctly to represent since when the count is being taken.</P> Tue, 29 Sep 2020 11:20:06 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-the-count-of-an-event-for-the-last-sixty-minutes/m-p/237503#M70585 gokadroid 2020-09-29T11:20:06Z Re: How to search the count of an event for the last sixty minutes, and the count of the same event for the same hour yesterday? https://community.splunk.com/t5/Splunk-Search/How-to-search-the-count-of-an-event-for-the-last-sixty-minutes/m-p/237504#M70586 <P>tested it as an answer post . seems to be working .</P> Sat, 08 Oct 2016 22:28:17 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-the-count-of-an-event-for-the-last-sixty-minutes/m-p/237504#M70586 govindsinghrawa 2016-10-08T22:28:17Z