Hello, please help!
I want to display only the unique names from yesterday that are not in today's list
Initial search:
Date Name Value
09/18/2016 ABC 2
09/18/2016 XYZ 9
09/18/2016 EFG 8
09/19/2016 ABC 3
Final search:
Date Name Value
09/18/2016 XYZ 9
09/18/2016 EFG 8
Try this
index=xyz earliest=-1d@d | eval Date=strftime(_time, "%m/%d/%Y") | eval when=if(_time>relative_time(now(), "@d"), "Today", "Yesterday") | dedup Name Date | eval Value=Value."#".Date | chart values(Value) as Value over Name by when | where isnull(Today) AND isnotnuill(Yesterday) | table Name Yesterday | rex field=Value "(?<Value>[^\#]+)\#(?<Date>.*)" | table Date Name Value
*UPDATED*
BASE SEARCH | eval when=if(strptime(Date, "%m/%d/%Y")>relative_time(now(), "@d"), "Today", "Yesterday") | dedup Name Date | eval Value=Value."#".Date | chart values(Value) as Value over Name by when | where isnull(Today) AND isnotnuill(Yesterday) | table Name Yesterday | rex field=Value "(?[^\#]+)\#(?.*)" | table Date Name Value
OR THIS*
base search | sort - Date | dedup Name | where strptime(Date, "%m/%d/%Y")<relative_time(now(), "@d"))
Assuming that you've a working search giving you your initial output, try this
your current search giving fields Date Name Value | stats Values(Date) as Date values(Value) as Value by Name | where mvcount(Date)=1 AND strptime(Date, "%m/%d/%Y")>relative_time(now(), "@d")
Try this
index=xyz earliest=-1d@d | eval Date=strftime(_time, "%m/%d/%Y") | eval when=if(_time>relative_time(now(), "@d"), "Today", "Yesterday") | dedup Name Date | eval Value=Value."#".Date | chart values(Value) as Value over Name by when | where isnull(Today) AND isnotnuill(Yesterday) | table Name Yesterday | rex field=Value "(?<Value>[^\#]+)\#(?<Date>.*)" | table Date Name Value
*UPDATED*
BASE SEARCH | eval when=if(strptime(Date, "%m/%d/%Y")>relative_time(now(), "@d"), "Today", "Yesterday") | dedup Name Date | eval Value=Value."#".Date | chart values(Value) as Value over Name by when | where isnull(Today) AND isnotnuill(Yesterday) | table Name Yesterday | rex field=Value "(?[^\#]+)\#(?.*)" | table Date Name Value
OR THIS*
base search | sort - Date | dedup Name | where strptime(Date, "%m/%d/%Y")<relative_time(now(), "@d"))
I don't think I have the _time records 😞
yeah! the last one seems to do the job 😉
@splunkapprentice please accept this answer to close it out.
Try the updated query