Solved: How to form a trend table for events

mrigank517 · ‎05-17-2019

I want to have a search for a particular keyword say "error" being calculated from the events and the output should be in the form of table which shows the count for the particular event for last 7 days and last 30 days.

Sukisen1981 · ‎05-17-2019

append will add the sub search as a row entry, and eval works on a event row basis, so ideally you should not receive any output by using thsi query. Try this :
index=xxx error earliest=-30d@d latest=@d | stats count AS thirty_days | appendcols [ search earliest=-7d@d latest=@d | stats count AS seven_days] | eval rate=((seven_days/thirty_days)*100) |table rate

View solution in original post

Sukisen1981 · ‎05-17-2019

append will add the sub search as a row entry, and eval works on a event row basis, so ideally you should not receive any output by using thsi query. Try this :
index=xxx error earliest=-30d@d latest=@d | stats count AS thirty_days | appendcols [ search earliest=-7d@d latest=@d | stats count AS seven_days] | eval rate=((seven_days/thirty_days)*100) |table rate

richgalloway · ‎05-17-2019

What have you tried so far?

---
If this reply helps you, Karma would be appreciated.

mrigank517 · ‎05-17-2019

How to form a trend table for events

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation