Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Apply the same query to multiple days given day interval

pedropiin
Path Finder
‎02-14-2025 07:03 AM

Hi everyone.

I have a query that calculates a number of metrics, such as average, max value, etc, for a specific date, given an interval from a dropdown menu. All the metrics are then output in a table, in which a row represents one day and the columns are the metrics itself.
I need to apply the same query to a number of days given an interval and output the result of each day as a new row on the column. For example, if the user queries through the past 5 days, I need five rows, each with the metrics associated only to the data from that day.

How could I do this?

Labels (3)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-14-2025 07:07 AM

Hi @pedropiin ,

you have to run something like this: 

<your_search>
| bin span=1d _time
| stats 
     sum(metric1) AS metric1
     sum(metric2) AS metric2
     sum(metric3) AS metric3
     BY day

I could be more detailed is you share more information about your data.

Ciao.

Giuseppe

0 Karma
Reply

pedropiin
Path Finder
‎02-14-2025 08:54 AM

Hi @gcusello. Thank you for your answer

But it doesn't seem to work...
Unfortunately I can't share information as it is sensitive, but it goes along the line of what you used as an example.

My whole query is of the form:

index ...
| stats ...
| eval var1=...
| eval var2=...
| sort var2
| eval var3=...
| bin_time span=1d
| stats(count(condition)) as count_var by day

But it doesn't seem to work. I've already tried both with one day and with a bigger interval, but they all result in "No results found". 

I can guarantee that this query should return results because when I run it for only day without the "bin" command, it gives me the correct answer.

What am I doing wrong?

Thank you in advance.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-15-2025 04:06 AM

Ok. If your initial stats doesn't include _time field, there's nothing to bin. That's why you're getting no results.

Reply

gcusello
SplunkTrust
SplunkTrust
‎02-15-2025 12:11 AM

Hi @pedropiin ,

you stats and bin statemets are wrong, please try this:

<your_search>
| bin span=1d _time
| eval var1=...
| eval var2=...
| sort var2
| eval var3=...
| stats 
     count(var1) AS var1
     count(var2) AS var2
     count(var3) AS var3
     BY day

 About sensitive information, you can mask them, for me it's interesting only the event structure and the field extractions.

Ciao.

Giuseppe

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...