Splunk Search

How do I compare search results from two different time periods?

dunyaelbasan
Path Finder

I have shown the queries I made with set diff and eval below. My aim is to compare the report of 07:00 to 07:00 of the day before at 07:00 every day and the report of that day at 07:00 to 07:00 and to post the difference. Example: To compare the search result from 30 November 07:00 to 1 December 07:00 and the search result from 1 December 07:00 to 2 December 07:00 and send the difference.

 

| set diff [ search NOERROR 10.217.154.253 OR 10.154.216.57 OR 10.194.41.30 earliest="-3d@d" latest="-2d@d" NOT EVRHSGSN1 NOT "*EPDG*" "*MNC001.MCC286*" "*tac-*" | fields "Query", "View", "Response_1", "Response_2", "Response_3", "Response_4", "Response_5", "Response_6", "Response_7", "Response_8", "Response_9", "Query_Type" | fields - _raw | dedup "Query" "View" | sort "Query"] [ search NOERROR 10.217.154.253 OR 10.154.216.57 OR 10.194.41.30 earliest="-2d@d" latest="-d@d" NOT EVRHSGSN1 NOT "*EPDG*" "*MNC001.MCC286*" "*tac-*" | fields "Query", "View", "Response_1", "Response_2", "Response_3", "Response_4", "Response_5", "Response_6", "Response_7", "Response_8", "Response_9", "Query_Type" | fields - _raw | dedup "Query" "View" | sort "Query"]

 

 

----------------- with eval:

 

 

 

 

index= "syslog" NOERROR 10.217.154.253 OR 10.154.216.57 OR 10.194.41.30 earliest="11/29/2020:00:00:00" latest="11/29/2020:23:59:59" NOT EVRHSGSN1 NOT "*EPDG*" "*MNC001.MCC286*" "*tac-*" | fields "Query", "View", "Response_1", "Response_2", "Response_3", "Response_4", "Response_5", "Response_6", "Response_7", "Response_8", "Response_9", "Query_Type" | fields - _raw | dedup "Query" "View" | sort "Query" | eval ReportKey=bugun | append [search index= "syslog" NOERROR 10.217.154.253 OR 10.154.216.57 OR 10.194.41.30 earliest="11/28/2020:00:00:00" latest="11/28/2020:23:59:59" NOT EVRHSGSN1 NOT "*EPDG*" "*MNC001.MCC286*" "*tac-*" | fields "Query", "View", "Response_1", "Response_2", "Response_3", "Response_4", "Response_5", "Response_6", "Response_7", "Response_8", "Response_9", "Query_Type" | fields - _raw | dedup "Query" "View" | sort "Query" | eval ReportKey=dun]

index= "syslog" NOERROR 10.217.154.253 OR 10.154.216.57 OR 10.194.41.30 earliest="11/29/2020:00:00:00" latest="11/29/2020:23:59:59" NOT EVRHSGSN1 NOT "*EPDG*" "*MNC001.MCC286*" "*tac-*" | fields "Query", "View", "Response_1", "Response_2", "Response_3", "Response_4", "Response_5", "Response_6", "Response_7", "Response_8", "Response_9", "Query_Type" | fields - _raw | dedup "Query" "View" | sort "Query" | eval ReportKey=bugun | append [search index= "syslog" NOERROR 10.217.154.253 OR 10.154.216.57 OR 10.194.41.30 earliest="11/28/2020:00:00:00" latest="11/28/2020:23:59:59" NOT EVRHSGSN1 NOT "*EPDG*" "*MNC001.MCC286*" "*tac-*" | fields "Query", "View", "Response_1", "Response_2", "Response_3", "Response_4", "Response_5", "Response_6", "Response_7", "Response_8", "Response_9", "Query_Type" | fields - _raw | dedup "Query" "View" | sort "Query" | eval ReportKey=dun]

Labels (5)
0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!