Re: How do I get results for different days on the...

angersleek · ‎12-11-2018

I'm using the following search and getting the following results. This search is done over 7 days.
Is there a way I can split this up and show 1 day + 7 days?

Current search:

some_search=*| stats count(some_num) as "No: Requests" by some_num, client

Current Result

some_num client No: Requests
9999999  PC     121
111111   MAC    342

Looking to get this result instead.

some_num client No: Requests (1 Day) No: Requests (7 Days)
9999999  PC     70                   121
111111   MAC    102                  342

Also, I tried with the following search, but I ended up with all days in a single row, which is not what I want.

Another try:

some_search=* | stats count(some_num) as "No: Requests" by some_num, client, date_mday

whrg · ‎12-11-2018

Hi @angersleek,

One option would be to use the append command:

index=... ... earliest=-24h latest=now
| stats count(some_num) as "No: Requests" by some_num,client
| eval Days=1
| append [search index=... ... earliest=-7d latest=now
   | stats count(some_num) as "No: Requests" by some_num,client
   | eval Days=7]

Alternately, try this with a time range of the last 7 days:

some_search=*
| bucket _time span=1d
| eventstats max(_time) as max_time
| stats count as count_requests_7d count(eval(_time==max_time)) as count_requests_1d by some_num, client

How do I get results for different days on the same table?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!