Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How can I compare the results of the same search b...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How can I compare the results of the same search by a particular date or day of the week/month?
rck
New Member
02-16-2016
10:27 PM
How can I compare the result by a particular week or date for this search?
sourcetype="rum" u=* |stats count,avg(t_done),max(t_done),min(t_done) by u|sort - max(t_done)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
chimell
Motivator
02-17-2016
01:52 AM
Hi
try this search code just add for example earliest=-3d@d latest=-0d@d
sourcetype="rum" u=* earliest=-3d@d latest=-0d@d|stats count,avg(t_done),max(t_done),min(t_done) by u|sort - max(t_done)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ngatchasandra
Builder
02-17-2016
01:27 AM
Hi rck,
Try to run this if you want to get the specific data for the particular date;
sourcetype="rum" u=*|streamstats count,avg(t_done),max(t_done),min(t_done) by u|timechart span=w max(t_done)
This will displays you data for each week.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
02-17-2016
12:25 AM
If you just want to list it based on dates , then use timechart
sourcetype="rum" u=* |timechart span=1d count,avg(t_done),max(t_done),min(t_done) by u
OR
sourcetype="rum" u=* |bucket span=1d _time|stats count,avg(t_done),max(t_done),min(t_done) by u,_time|sort - max(t_done)
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rck
New Member
02-17-2016
01:17 AM
how can i get the specific data for the particular date
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rck
New Member
02-17-2016
01:33 AM
i just want to retrieve the data for the date 11/02/1016,12/02/1016,13/02/1016.how can i specify this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
02-17-2016
01:33 AM
You can set the timerange or adjust the earliest and latest fields to your required date
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
Get Updates on the Splunk Community!
Index This | Why did the turkey cross the road?
November 2025 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with this ...
Enter the Agentic Era with Splunk AI Assistant for SPL 1.4
🚀 Your data just got a serious AI upgrade — are you ready?
Say hello to the Agentic Era with the ...
Feel the Splunk Love: Real Stories from Real Customers
Hello Splunk Community,
What’s the best part of hearing how our customers use Splunk? Easy: the positive ...
