Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you compare total events from two specific dates?

nicxso
Engager
‎02-18-2019 12:52 PM

Hey Guys,

I want to create a table where I can check the total events from two different time ranges. Here is an example.

This search contains 971 events in total:

  source="tutorialdata.zip:*" host="ubuntu-js" source="tutorialdata.zip:./mailsv/secure.log" earliest="2/10/2019:00:00:00" latest="2/10/2019:23:59:59"

The second search contains 1604 events in total:

 search source="tutorialdata.zip:*" host="ubuntu-js" source="tutorialdata.zip:./mailsv/secure.log" earliest="2/9/2019:00:00:00" latest="2/9/2019:23:59:59"

What I'm trying to do is combine this two searches and use a subsearch:

source="tutorialdata.zip:*" host="ubuntu-js" source="tutorialdata.zip:./mailsv/secure.log" earliest="2/10/2019:00:00:00" latest="2/10/2019:23:59:59" [ 
 search source="tutorialdata.zip:*" host="ubuntu-js" source="tutorialdata.zip:./mailsv/secure.log" earliest="2/9/2019:00:00:00" latest="2/9/2019:23:59:59" |
 stats count as y |
 table y] |
stats count as x |
table x, y

x should contain 971 events and y 1604 events, but instead, it's showing x has the value 0 and y is empty.

I'm still a newbie with Splunk. Can someone explain me what I could do ?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
SplunkTrust
SplunkTrust
‎02-18-2019 01:53 PM

There are multiple ways to do it

*Best method (IMO) *
Single search fetches data for both time range and then count is calculated based on _time value compared with your static time range value.

source="tutorialdata.zip:*" host="ubuntu-js" source="tutorialdata.zip:./mailsv/secure.log" earliest="2/9/2019:00:00:00" latest="2/10/2019:23:59:59"
| eval x=if(_time>=strptime("2/9/2019:00:00:00","%m/%d/%Y:%H:%M:%S"), 1,0)
| eval y=if(_time<strptime("2/9/2019:00:00:00","%m/%d/%Y:%H:%M:%S"), 1,0)
| stats sum(x) as x sum(y) as y

Simplex looking search
Uses a subsearch to it has limitations and doesn't have optimal performance but easy to understand

source="tutorialdata.zip:*" host="ubuntu-js" source="tutorialdata.zip:./mailsv/secure.log" earliest="2/10/2019:00:00:00" latest="2/10/2019:23:59:59" | stats count as x 
| appendcols [search source="tutorialdata.zip:*" host="ubuntu-js" source="tutorialdata.zip:./mailsv/secure.log" earliest="2/9/2019:00:00:00" latest="2/9/2019:23:59:59" | stats count as y]

View solution in original post

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎02-18-2019 02:03 PM

Subsearches can be confusing. To help understand them better, keep these points in mind:

The subsearch executes first.
The results of the subsearch become part of the main query.

That means a query like index=foo source=bar [ index=foo | stats count | table count]
is equivalent to 'index=foo source=bar count=3`, which will only work if index 'foo' contains a field called 'count' and at least one event where count is 3.

In this case, the better approach is to create a single search over both days and bucket the results.

 source="tutorialdata.zip:*" host="ubuntu-js" source="tutorialdata.zip:./mailsv/secure.log" earliest="2/9/2019:00:00:00" latest="2/10/2019:23:59:59" 
| bucket span=1d _time
| timechart count as y
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
SplunkTrust
SplunkTrust
‎02-18-2019 01:53 PM

There are multiple ways to do it

*Best method (IMO) *
Single search fetches data for both time range and then count is calculated based on _time value compared with your static time range value.

source="tutorialdata.zip:*" host="ubuntu-js" source="tutorialdata.zip:./mailsv/secure.log" earliest="2/9/2019:00:00:00" latest="2/10/2019:23:59:59"
| eval x=if(_time>=strptime("2/9/2019:00:00:00","%m/%d/%Y:%H:%M:%S"), 1,0)
| eval y=if(_time<strptime("2/9/2019:00:00:00","%m/%d/%Y:%H:%M:%S"), 1,0)
| stats sum(x) as x sum(y) as y

Simplex looking search
Uses a subsearch to it has limitations and doesn't have optimal performance but easy to understand

source="tutorialdata.zip:*" host="ubuntu-js" source="tutorialdata.zip:./mailsv/secure.log" earliest="2/10/2019:00:00:00" latest="2/10/2019:23:59:59" | stats count as x 
| appendcols [search source="tutorialdata.zip:*" host="ubuntu-js" source="tutorialdata.zip:./mailsv/secure.log" earliest="2/9/2019:00:00:00" latest="2/9/2019:23:59:59" | stats count as y]
0 Karma
Reply
Get Updates on the Splunk Community!

Streamline Data Ingestion With Deployment Server Essentials

REGISTER NOW!Every day the list of sources Admins are responsible for gets bigger and bigger, often making the ...

Remediate Threats Faster and Simplify Investigations With Splunk Enterprise Security ...

REGISTER NOW!Join us for a Tech Talk around our latest release of Splunk Enterprise Security 7.2! We’ll walk ...

Introduction to Splunk AI

WATCH NOWHow are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. ...