How do I get results for different days on the sam...

angersleek · ‎12-11-2018

I'm using the following search and getting the following results. This search is done over 7 days.
Is there a way I can split this up and show 1 day + 7 days?

Current search:

some_search=*| stats count(some_num) as "No: Requests" by some_num, client

Current Result

some_num client No: Requests
9999999  PC     121
111111   MAC    342

Looking to get this result instead.

some_num client No: Requests (1 Day) No: Requests (7 Days)
9999999  PC     70                   121
111111   MAC    102                  342

Also, I tried with the following search, but I ended up with all days in a single row, which is not what I want.

Another try:

some_search=* | stats count(some_num) as "No: Requests" by some_num, client, date_mday

whrg · ‎12-11-2018

Hi @angersleek,

One option would be to use the append command:

index=... ... earliest=-24h latest=now
| stats count(some_num) as "No: Requests" by some_num,client
| eval Days=1
| append [search index=... ... earliest=-7d latest=now
   | stats count(some_num) as "No: Requests" by some_num,client
   | eval Days=7]

Alternately, try this with a time range of the last 7 days:

some_search=*
| bucket _time span=1d
| eventstats max(_time) as max_time
| stats count as count_requests_7d count(eval(_time==max_time)) as count_requests_1d by some_num, client

How do I get results for different days on the same table?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation