How can I get counts for yesterday and last week?

dpatel01 · ‎05-27-2022

Hi Splunkers,

I am stuck at how can I get counts for Yesterday and Last week. so ask is when select relative time from timer(in Dashboard) it should give me counts for yesterday in one panel and in another panel for last week.

For Example,

1) I am searching for 9pm to 10pm in my Dashboard so I want to setup a query that gives me same time data but yesterday's 9pm to 10pm (Query for Yesterday)

2) If I run same data then other panel should give me counts for last week at same time (Query for last Week)

so I am looking for two separate queries for both.

Basic Query:-

index::name type=sample_events "service"="auth" "successReason"=VALID | stats count

ITWhisperer · ‎05-27-2022

There are a couple of ways to do this. Assume that the timepicker sets the time frame for the first panel.

Assuming you are using Classic Dashboard, in the change handler for the time picker, evaluate a couple of additional tokens which are a week prior to the earliest and latest values returned by the time picker.

Another way would be to override the earliest and latest values with values derived from the time settings of the search in the second panel, something like this

your search [| makeresults
  | addinfo
  | eval earliest=info_min_time-(7*24*60*60)
  | eval latest=info_max_time-(7*24*60*60)
  | fields earliest latest]

dpatel01 · ‎06-02-2022

Thanks!! This is exactly what I asked for.

How can I get counts for yesterday and last week?

chart

fields

other

stats

timechart

transaction

tstats

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?