Splunk Search
Highlighted

Create a summary table with usernames /last 7 days /last 30 days

Explorer

Hi Everyone,

I am trying to create a report where I am able to get the list of username's / number for calls for last 7 days but unable to add another field number for calls for last 30 days. the list should look something like this
i.e list of username's / number for calls for last 7 days/number for calls for last 30 days.

Tags (2)
0 Karma
Highlighted

Re: Create a summary table with usernames /last 7 days /last 30 days

Motivator

@raviteja029

try this,

your search earliest=-7d@d latest=0d@d | eval weeknum="Last 7 days" | append [ search your search earliest=-30d@d latest=0d@d | eval weeknum="Last 30 days" ] | chart count over weeknum by username

i hope this helps

0 Karma
Highlighted

Re: Create a summary table with usernames /last 7 days /last 30 days

Explorer

Hi ,

Thank you for the reply,
I kind of did few tweaks and was able to get the response but only last 7 days value is correct and for last 30 days value its coming some value,

Search -
My Search | eval weeknum="Last 7 days" |
append [ search My Search | eval weeknum="Last 30 days" ]
| chart count over CustomerName by weeknum

With this I am getting out as below -
CustomerName | Last 30 days | Last 7 days |
abc | 77 | 92385 |
def | 87 | 235235 |

Here Last 30 days value is incorrect

0 Karma
Highlighted

Re: Create a summary table with usernames /last 7 days /last 30 days

Explorer

Hi

Could you help me how to get the change in percentage for the results I get from a current week of calls to last week calls?

my Search earliest=-14d@d latest=-7d@d | eval weeknum="Last Week" |
append [ search my Search earliest=-7d@d latest=-1m@m | eval weeknum="Current Week" ] | chart count over CustomerName by weeknum

0 Karma
Highlighted

Re: Create a summary table with usernames /last 7 days /last 30 days

SplunkTrust
SplunkTrust

Give this a try

your base search earliest=-30d@d 
| eval Last7days=if(_time>=relative_time(now(),"-7d@d"),1,0)
| stats sum(Last7days) as "number for calls for last 7 days" count as "number for calls for last 30 days" by username

View solution in original post

Highlighted

Re: Create a summary table with usernames /last 7 days /last 30 days

Explorer

Hi,
Thank you very much.

The search worked pretty well but I am getting a little extra number in last 7 days, it's taking for last 8 day's looks like changing "-7d@d" to "-6d@d" got much closer but I am assuming the start time has some lag now, can you confirm the start time is from last min to 7 days ?

EX-
Getting 238,121 for last 7 days but actual no. 242,408

And for last 30 days is coming correct.

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.