- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- How to get the 3 columns result with 3 different t...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to get the 3 columns result with 3 different time stamps
Hi Splunk Guys,
Please help me with the query. My requirement is, I need search server count in here based on the version for 3 different time stamps. REsult as shown in the below
| Version Type | 30 days | 60 Days | 90 Days |
| 1.1.1.00 | 7 | 9 | 18 |
| 2.1.3.4 | 8 | 10 | 14 |
| 3.1.4.6 | 10 | 15 | 18 |
Index=_internal sourcetype=servers_list earlist=-30d
| stats count(Parameter) as ServersCount_Last30Days by Value
The above query gives me last 30 days result.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@vvemula based on your question seems like you are interested in delta for each time duration i.e 0-30 days 30-60 days and 60-90 days.
Following is a run anywhere search based on Splunk's _internal index which splunkd errors for last 7 days as 0-1 day, 1-3 days and 3-7 days broken down by various components.
[Optional only for demo use case]... it retains only top 5 components as per total errors.
index="_internal" sourcetype="splunkd" log_level!="INFO" earliest="-7d" latest=now
| stats count as Total count(eval(_time>relative_time(now(),"-1d@d") AND _time<=now())) as "0-1 day"
count(eval(_time>relative_time(now(),"-3d@d") AND _time<=relative_time(now(),"-1d@d-1s"))) as "1-3 days"
count(eval(_time>relative_time(now(),"-7d@d") AND _time<=relative_time(now(),"-3d@d-1s"))) as "3-7 days" by component
| sort - Total
| head 5
| fields component * TotalYou can adjust as per your needs, data and field names. Please try out and confirm!
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@niketn HI, Thank you so much for your reply.
So As per your example. I have tried my requirement.
| stats count(servers) as Total count(eval(_time>relative_time(now(),"-30d@d") AND _time<=now())) as "30day"
count(eval(_time>relative_time(now(),"-60d@d") AND _time<=relative_time(now(),"-30d@d-1s"))) as "60days"
count(eval(_time>relative_time(now(),"-90d@d") AND _time<=relative_time(now(),"-60d@d-1s"))) as "90days" by parameter
--> "Parameter" has 10 different values, based on the stats,... I am getting only 5 few.
--> 60days and 90days not working coming as "0" s
Am I doing something wrong in here. ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @vvemula
Based on your use case the following should do what you want ...
index=_internal sourcetype=servers_list earliest=-90d@d
| stats
count(eval(if(_time <= relative_time(now(), "-30d@d"), Parameter, null() ) )) as "30 Days"
count(eval(if(_time <= relative_time(now(), "-60d@d"), Parameter, null() ) )) as "60 Days"
count(eval(if(_time <= relative_time(now(), "-90d@d"), Parameter, null() ) )) as "90 Days"
BY Value
If you want distinct 30 days period counts then adjust the eval statement, e.g.
stats ...
count(eval(if(_time > relative_time(now(), "-30d@d") AND _time <= relative_time(now(), "-60d@d"), Parameter, null() ) )) AS "30-60 Days"
...Hope this helps. If it does then please mark post as solved.
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
