Compare stats of current day with previous day

aqudoos · ‎07-06-2018

Hi all!
I am currently getting stats of current day as followed
Port Count
25 25
443 75
53 990

I wanted a table like this

Port Count(Previous Day) Count(Current Day)
25 25 30
443 75 40
53 990 50

My query is like this

Index=* | stats count by port

Please confirm is it possible
Please help!

somesoni2 · ‎07-06-2018

Try like this

index=*  earliest=-1d@d latest=now 
| eval Period=if(_time>=relative_time(now(),"@d"), "Today","Yesterday")
| chart count by port Period

maraman_splunk · ‎07-06-2018

Try :
index=* | bin _time span=1d | stats count by port,_time | timewrap 1d
with a timerange of 2 days

kamlesh_vaghela · ‎07-06-2018

Hi @aqudoos,

Can you please try the following search?

index=* earliest=-d@d 
| stats count as current_day by port 
| append 
    [ search index=*  earliest=-2d@d latest=-1d@d 
    | stats count as previous_day by port] 
| stats values(current_day) as current_day values(previous_day) as previous_day by port

Thanks

Compare stats of current day with previous day

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

Compare stats of current day with previous day

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem