Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Comparing two time periods with the diff command, how to display only new errors from the last 24 hours that have NOT happened in the last 7 days?

natefly5
Explorer
‎02-23-2015 10:55 AM

I am trying to display errors from the last 24 hours that have NOT happened in the last 7 days. I only want to see the "new" errors.

When I run this search, it will compare the two time periods and only removes the errors that happened at both times. So it will display the new errors and the old ones. Any help would be greatly appreciated!

|set diff [search sourcetype=Apps (Hosted="A" OR Hosted="B") earliest=-7d@d latest=-1d@d sub_source="'C'" sub_origin="'D'" |stats count by error, msg, program |table error, msg, program] [search sourcetype=Apps (Hosted="A" OR Hosted="B") earliest=-1d@d latest=@m sub_source="'C'" sub_origin="'D'" |stats count by error, msg, program | table error, msg, program]
Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎02-23-2015 08:54 PM

This is just a thought, but's let's try this without a subsearch or the set command at all..

earliest=-7d@d latest=@m sourcetype=Apps (Hosted="A" OR Hosted="B")  sub_source="'C'" sub_origin="'D'" 
| addinfo
| eval older_than_24 = if( _time < (info_max_time - 86400),1,0)
| stats max(older_than_24) as older_than_24, count by error, msg, program 
| search older_than_24=0
| table error, msg, program

Or we can try this, which is similar but gives you count of errors in the last 24 hours.

earliest=-7d@d latest=@m sourcetype=Apps (Hosted="A" OR Hosted="B")  sub_source="'C'" sub_origin="'D'" 
| addinfo
| eval older_than_24 = if( _time < (info_max_time - 86400),1,0)
| stats count(eval(_time < (info_max_time - 86400))) as  count_older_than_24, count(eval(_time >= (info_max_time - 86400))) as count_last_24 by error, msg, program 
| search count_older_than_24=0
| table error, msg, program

View solution in original post

Reply
Solved! Jump to solution

mfscully
Explorer
‎09-22-2016 03:00 AM

Another way to do this is run a scheduled report at midnight that outputs the error, msg, and program for the last 7 days to a lookup. Then you can run your 24 hour report on demand using the lookup to filter. This is probably best performance.

0 Karma
Reply
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎02-23-2015 08:54 PM

This is just a thought, but's let's try this without a subsearch or the set command at all..

earliest=-7d@d latest=@m sourcetype=Apps (Hosted="A" OR Hosted="B")  sub_source="'C'" sub_origin="'D'" 
| addinfo
| eval older_than_24 = if( _time < (info_max_time - 86400),1,0)
| stats max(older_than_24) as older_than_24, count by error, msg, program 
| search older_than_24=0
| table error, msg, program

Or we can try this, which is similar but gives you count of errors in the last 24 hours.

earliest=-7d@d latest=@m sourcetype=Apps (Hosted="A" OR Hosted="B")  sub_source="'C'" sub_origin="'D'" 
| addinfo
| eval older_than_24 = if( _time < (info_max_time - 86400),1,0)
| stats count(eval(_time < (info_max_time - 86400))) as  count_older_than_24, count(eval(_time >= (info_max_time - 86400))) as count_last_24 by error, msg, program 
| search count_older_than_24=0
| table error, msg, program
Reply
Solved! Jump to solution

natefly5
Explorer
‎02-24-2015 11:03 AM

Thank you! This works perfectly. My follow up question is very basic but how can I add a count to show how many times each type of error has happened in the last 24 hours? Thanks again!

0 Karma
Reply
Solved! Jump to solution

dwaddle
SplunkTrust
SplunkTrust
‎02-24-2015 08:09 PM

does the second search above do what you're seeking here?

0 Karma
Reply
Solved! Jump to solution

natefly5
Explorer
‎03-03-2015 06:28 AM

Yes it works, thanks a lot for your help!

Reply
Solved! Jump to solution

aholzer
Motivator
‎02-23-2015 12:14 PM

Add an eval to both sets that identifies one set as the new and one as the old, and just add a where eval="new". Like so:

|set diff [search sourcetype=Apps (Hosted="A" OR Hosted="B") earliest=-7d@d latest=-1d@d sub_source="'C'" sub_origin="'D'" |stats count by error, msg, program |table error, msg, program | eval label="old"] [search sourcetype=Apps (Hosted="A" OR Hosted="B") earliest=-1d@d latest=@m sub_source="'C'" sub_origin="'D'" |stats count by error, msg, program | table error, msg, program | eval label="new"] | search label="new"
0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎02-23-2015 12:12 PM

Why not this

sourcetype=Apps (Hosted="A" OR Hosted="B") earliest=-1d@d latest=@m sub_source="'C'" sub_origin="'D'" 
NOT [search sourcetype=Apps (Hosted="A" OR Hosted="B") earliest=-7d@d latest=-1d@d sub_source="'C'" sub_origin="'D'" |stats count by error, msg, program |table error, msg, program] 
|stats count by error, msg, program | table error, msg, program
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...