How can I compare the results of the same search b...

rck · ‎02-16-2016

How can I compare the result by a particular week or date for this search?

sourcetype="rum" u=* |stats count,avg(t_done),max(t_done),min(t_done)  by u|sort - max(t_done)

chimell · ‎02-17-2016

Hi
try this search code just add for example earliest=-3d@d latest=-0d@d

sourcetype="rum" u=* earliest=-3d@d latest=-0d@d|stats count,avg(t_done),max(t_done),min(t_done) by u|sort - max(t_done)

ngatchasandra · ‎02-17-2016

Hi rck,

Try to run this if you want to get the specific data for the particular date;

sourcetype="rum" u=*|streamstats count,avg(t_done),max(t_done),min(t_done) by u|timechart span=w max(t_done)

This will displays you data for each week.

renjith_nair · ‎02-17-2016

If you just want to list it based on dates , then use timechart

sourcetype="rum" u=* |timechart span=1d count,avg(t_done),max(t_done),min(t_done) by u

OR

sourcetype="rum" u=* |bucket span=1d _time|stats count,avg(t_done),max(t_done),min(t_done) by u,_time|sort - max(t_done)

Happy Splunking!

rck · ‎02-17-2016

how can i get the specific data for the particular date

rck · ‎02-17-2016

i just want to retrieve the data for the date 11/02/1016,12/02/1016,13/02/1016.how can i specify this.

renjith_nair · ‎02-17-2016

You can set the timerange or adjust the earliest and latest fields to your required date

Happy Splunking!

How can I compare the results of the same search by a particular date or day of the week/month?