Archive

How do I get results for different days on the same table?

Path Finder

I'm using the following search and getting the following results. This search is done over 7 days.
Is there a way I can split this up and show 1 day + 7 days?

Current search:

some_search=*| stats count(some_num) as "No: Requests" by some_num, client

Current Result

some_num client No: Requests
9999999  PC     121
111111   MAC    342

Looking to get this result instead.

some_num client No: Requests (1 Day) No: Requests (7 Days)
9999999  PC     70                   121
111111   MAC    102                  342

Also, I tried with the following search, but I ended up with all days in a single row, which is not what I want.

Another try:

some_search=* | stats count(some_num) as "No: Requests" by some_num, client, date_mday
Tags (1)
0 Karma

Motivator

Hi @angersleek,

One option would be to use the append command:

index=... ... earliest=-24h latest=now
| stats count(some_num) as "No: Requests" by some_num,client
| eval Days=1
| append [search index=... ... earliest=-7d latest=now
   | stats count(some_num) as "No: Requests" by some_num,client
   | eval Days=7]

Alternately, try this with a time range of the last 7 days:

some_search=*
| bucket _time span=1d
| eventstats max(_time) as max_time
| stats count as count_requests_7d count(eval(_time==max_time)) as count_requests_1d by some_num, client
0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!