Archive

Comparing results from two different dates

Path Finder

Hello all,

Search string:
index=blahblah host=blahblah
| fields host, EventCode
| stats count by host, EventCode
| sort - count
| where count > 200

I'm trying to compare the results of this search for the following dates in one report:
1-4-2018 and 1-5-2018

Tags (1)
0 Karma
1 Solution

Path Finder

Answered my own question:

| timechart span=1d count by EventCode

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

you can try something like this

|multisearch [search index=blahblah host=blahblah earliest=1515004200 latest=1515090600 | eval date="1/4/2018"] [search index=blahblah host=blahblah earliest=1515090600 latest=1515177000 | eval date="1/5/2018"] | fields host, EventCode
| stats count by host, EventCode date
| sort - count
| where count > 200

OR

index=blahblah host=blahblah earliest=1515004200 latest=1515177000 | bin _time span=1d
| fields host, EventCode
| stats count by host, EventCode _time
| sort - count
| where count > 200

let me know if this helps !

0 Karma

Path Finder

Answered my own question:

| timechart span=1d count by EventCode

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

@matthew.foos if your problem is resolved, please accept an answer to help future readers.

---
If this reply helps you, an upvote would be appreciated.
0 Karma