Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I compare Todays result with yesterdays?

Teemanny
Engager
‎07-25-2023 05:29 AM

I have the code below and I need to get the statuses yesterday and today with respect to API value.
My current search is below. 

index="l7" earliest=-1d@d latest=now
| eval status=case(response_status<400 AND severity="Audit", "Success_count", response_status>=400 and response_status<500, "Backend_4XX",response_status>=500, "Backend_5XX",response_status==0 AND severity="Exception", "L7_Error")
| eval Day=if(_time<relative_time(now(),"@d"),"Yesterday","Today")


I need my data to be grouped separately or side by side. Teemanny_0-1690287931502.png
I need your help in achieving this.

 



Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-25-2023 06:15 AM

You can't have two level headers, but you could try combining the values

index="l7" earliest=-1d@d latest=now
| eval Day=if(_time<relative_time(now(),"@d"),"Yesterday","Today")
| eval status=case(response_status<400 AND severity="Audit", Day."_Success_count", response_status>=400 and response_status<500, Day."_Backend_4XX",response_status>=500, Day."_Backend_5XX",response_status==0 AND severity="Exception", Day."_L7_Error")
| chart count by API status

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

Teemanny
Engager
‎07-26-2023 08:01 AM

Can you please help with time range for 15mins ago in comparison to 15m last week ago.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-26-2023 10:12 AM

Try something like this

(earliest=-7d@m-15m latest=-7d@m) OR (earliest=-15m@m latest=@m)
0 Karma
Reply
Solved! Jump to solution

Teemanny
Engager
‎07-26-2023 10:20 AM

This did the trick.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-25-2023 05:55 AM 
index="l7" earliest=-1d@d latest=now
| eval status=case(response_status<400 AND severity="Audit", "Success_count", response_status>=400 and response_status<500, "Backend_4XX",response_status>=500, "Backend_5XX",response_status==0 AND severity="Exception", "L7_Error")
| bin _time span=1d
| timechart count by status
| timewrap 1d
0 Karma
Reply
Solved! Jump to solution

Teemanny
Engager
‎07-25-2023 06:06 AM

Teemanny_1-1690290262491.png

It summed up the counts, I want all the several count wrt the API names which are over 100.

Teemanny_2-1690290357466.png

something like the screenshot above

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-25-2023 06:15 AM

You can't have two level headers, but you could try combining the values

index="l7" earliest=-1d@d latest=now
| eval Day=if(_time<relative_time(now(),"@d"),"Yesterday","Today")
| eval status=case(response_status<400 AND severity="Audit", Day."_Success_count", response_status>=400 and response_status<500, Day."_Backend_4XX",response_status>=500, Day."_Backend_5XX",response_status==0 AND severity="Exception", Day."_L7_Error")
| chart count by API status

 

0 Karma
Reply
Solved! Jump to solution

Teemanny
Engager
‎07-25-2023 06:35 AM

Thank you for the response. It's working now

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!

The Splunk Community Dashboard Challenge is still happening, and it's not too late to enter for the week of ...

Join Us at the Builder Bar at .conf24 – Empowering Innovation and Collaboration

What is the Builder Bar? The Builder Bar is more than just a place; it's a hub of creativity, collaboration, ...

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...