Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Add a count from a different time period

avoelk
Communicator
‎09-09-2021 05:53 AM

Hello,

 

I'm trying to add the appearance of a certain value in my base search count. the value is "detatched". it is written in an event, when a certain license has been used. this detatched license has a lifespan of 14 days, afterwards it's not active anymore and I don't need to add this to my base search anymore.

so basically it's like this : 

index=indexa=* licensecount=* productid=5000 earliest=-30d@d latest=now()
| eval flag="basecount"
| append
[search index=indexa =*  productid=5000 subject="*detatched*" earliest=-45d@d latest=-31d@d 
| eval flag="addcount"]
| stats count(eval(flag="basecount")) as basecount count(eval(flag="addcount")) as addcount
| eval totalcount = basecount+addcount
|timechart span=1d count(totalcount)


I know this query is partlially stupid but what I want to show is what I'm trying to accomplish. Example: Today I have a licence count of the product 5000 of 5, 14 days ago I had a count of 1, therefore today it should show me 6. tomorrow, this count of 1 shouldn't be added anymore, cause it's more than 14 days old and not active anymore. this should be seen - ideally - in a timechart. 

Hope someone can make sense of this . Much appreciate any help or feedback, cause, maybe it's not possible to do so in splunk. 

Thanks a lot guys

Labels (5)
0 Karma
Reply

avoelk
Communicator
‎10-05-2021 07:37 AM

hello and thanks a lot for the continuous help,

I'm going to test this query tomorrow. it looks like the right thing we need. will keep you updated and thanks again!

0 Karma
Reply

javiergn
Super Champion
‎09-09-2021 06:35 AM

Hi again @avoelk,

So resuming where we left it here: https://community.splunk.com/t5/Splunk-Search/search-a-value-in-previous-time-period-and-add-to-curr... I would try the following (keep in mind there might be typos as I did not test this on any lab):

 

 

index=indexa licensecount=* earliest=-45d@d latest=now()
| stats 
    count(eval(if(_time >= relative_time(now(), "-30d@d"), 1, null())))) as basecount,
    count(eval(if(_time >= relative_time(now(), "-45d@d") AND _time < relative_time(now(), "-30d@d") AND match(subject, "detatched"), 1, null())))) as addcount by productid
| eval totalcount = basecount + addcount
| timechart span=1d count(totalcount) by productid

 

Reply

avoelk
Communicator
‎10-07-2021 01:25 AM

Hello and thank you for your help,

 

after further discussion I think the best way of putting it is the following: 

 

1.)

I need a maximum of a value of a certain attribute at a specific day as basecount and then looks back 14 days (related to this specific day) and counts the occurance of events which contain the word "detatched" and add this as a count to the basecount.  

2.)

this would be the view for a specific day. after this I'd need this view, but for a timewindow of for example 7 days (sliding timewindow). 

It's the best way of finally putting it. I hope you get what I mean. 🙂 I'm sorry that I switched back and forth with the explanation but as you can see it's not an easy way of describing it. 

 

Thanks a lot for the help!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...
li.common.scroll-to.top