https://community.splunk.com/t5/Splunk-Search/day-by-day-comparison/m-p/40639#M9377 <P>great much appreciated!</P> Mon, 11 Jul 2011 12:47:38 GMT fwd4 2011-07-11T12:47:38Z https://community.splunk.com/t5/Splunk-Search/day-by-day-comparison/m-p/40637#M9375 <P>I'm trying to build a graph in Splunk to provide a day-by-day comparison of particular response codes. </P> <P>For example I currently monitor the last 24 hours of logs looking for a string D101 (resp_code="D101") and graph it in a timechart. What I would like to do is run a second query for the same D101 message but from the previous 24hours - then end result being a graph with 2 lines showing me today against yesterday.</P> <PRE><CODE>resp_code="D101" latest=now earliest=-24h | timechart count by resp_code | appendcols [resp_code="D101" latest=-24h earliest=-48h | timechart count by resp_code] </CODE></PRE> <P>I think I need to be looking in or around the <STRONG>appendcols</STRONG> function but I'm receiving the below error, it's obviously not parsing what I've written in the way I'd hope:</P> <P>"<EM>Search operation 'resp' is unknown. You might not have permission to run this operation.</EM>"</P> <P>Am I barking up the wrong tree with <STRONG>appendcols</STRONG>, should I be doing this a different way?</P> Mon, 11 Jul 2011 11:10:14 GMT https://community.splunk.com/t5/Splunk-Search/day-by-day-comparison/m-p/40637#M9375 fwd4 2011-07-11T11:10:14Z https://community.splunk.com/t5/Splunk-Search/day-by-day-comparison/m-p/40638#M9376 <P>You need to add the search command: <CODE>[search resp_code....</CODE></P> Mon, 11 Jul 2011 11:48:08 GMT https://community.splunk.com/t5/Splunk-Search/day-by-day-comparison/m-p/40638#M9376 JYTTEJ 2011-07-11T11:48:08Z https://community.splunk.com/t5/Splunk-Search/day-by-day-comparison/m-p/40639#M9377 <P>great much appreciated!</P> Mon, 11 Jul 2011 12:47:38 GMT https://community.splunk.com/t5/Splunk-Search/day-by-day-comparison/m-p/40639#M9377 fwd4 2011-07-11T12:47:38Z