Splunk Search

Append command not working to combine two searches with the same result but events occurred in two different timespans

kanj
New Member

Hello there,

Step1:
user software_name dc_today dc_past
A XYZ.exe 1 9
B PQR.exe 2 3
C DTA.exe 0 1

The final result should be:
user software_name dc_today
A XYZ.exe 1

My method:
index=* _index_earliest=-1d |stats dc(user) as dc by software_name |eval dc_today=if(dc=1, 1, 0)
|append [search index=* _index_earliest=-5d |stats dc(user) as dc by software_name |eval dc_past=if(dc=1,1,0)]
|table user software_name dc_today dc_past

So I am running two similar searches with differences in timespan.
1) Append is not reflecting the sub-search
2) Is there more efficient way for this?

Thanks in advance!
KanJ

0 Karma

to4kawa
Ultra Champion
 index=* earliest=-1d 
| stats dc(user) as dc by software_name 
| eval dc_today=if(dc=1, 1, 0) 
| append 
    [ search index=* earliest=-5d 
    | stats dc(user) as dc by software_name 
    | eval dc_past=if(dc=1,1,0)] 
| table user software_name dc_today dc_past

The user of your query is disappear. because stats aggregates.

index=* earliest=-5d 
| stats dc(eval(if(related_time(now(),"-1d") <= _time,user,NULL))) as dc_today dc(user) as dc_past by software_name 

Unique user count in software name is above.

The final result should be:
user software_name dc_today
A XYZ.exe 1

What's your logic?

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...