Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you compare total events from two specific dates?

nicxso
Engager
‎02-18-2019 12:52 PM

Hey Guys,

I want to create a table where I can check the total events from two different time ranges. Here is an example.

This search contains 971 events in total:

  source="tutorialdata.zip:*" host="ubuntu-js" source="tutorialdata.zip:./mailsv/secure.log" earliest="2/10/2019:00:00:00" latest="2/10/2019:23:59:59"

The second search contains 1604 events in total:

 search source="tutorialdata.zip:*" host="ubuntu-js" source="tutorialdata.zip:./mailsv/secure.log" earliest="2/9/2019:00:00:00" latest="2/9/2019:23:59:59"

What I'm trying to do is combine this two searches and use a subsearch:

source="tutorialdata.zip:*" host="ubuntu-js" source="tutorialdata.zip:./mailsv/secure.log" earliest="2/10/2019:00:00:00" latest="2/10/2019:23:59:59" [ 
 search source="tutorialdata.zip:*" host="ubuntu-js" source="tutorialdata.zip:./mailsv/secure.log" earliest="2/9/2019:00:00:00" latest="2/9/2019:23:59:59" |
 stats count as y |
 table y] |
stats count as x |
table x, y

x should contain 971 events and y 1604 events, but instead, it's showing x has the value 0 and y is empty.

I'm still a newbie with Splunk. Can someone explain me what I could do ?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-18-2019 01:53 PM

There are multiple ways to do it

*Best method (IMO) *
Single search fetches data for both time range and then count is calculated based on _time value compared with your static time range value.

source="tutorialdata.zip:*" host="ubuntu-js" source="tutorialdata.zip:./mailsv/secure.log" earliest="2/9/2019:00:00:00" latest="2/10/2019:23:59:59"
| eval x=if(_time>=strptime("2/9/2019:00:00:00","%m/%d/%Y:%H:%M:%S"), 1,0)
| eval y=if(_time<strptime("2/9/2019:00:00:00","%m/%d/%Y:%H:%M:%S"), 1,0)
| stats sum(x) as x sum(y) as y

Simplex looking search
Uses a subsearch to it has limitations and doesn't have optimal performance but easy to understand

source="tutorialdata.zip:*" host="ubuntu-js" source="tutorialdata.zip:./mailsv/secure.log" earliest="2/10/2019:00:00:00" latest="2/10/2019:23:59:59" | stats count as x 
| appendcols [search source="tutorialdata.zip:*" host="ubuntu-js" source="tutorialdata.zip:./mailsv/secure.log" earliest="2/9/2019:00:00:00" latest="2/9/2019:23:59:59" | stats count as y]

View solution in original post

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎02-18-2019 02:03 PM

Subsearches can be confusing. To help understand them better, keep these points in mind:

The subsearch executes first.
The results of the subsearch become part of the main query.

That means a query like index=foo source=bar [ index=foo | stats count | table count]
is equivalent to 'index=foo source=bar count=3`, which will only work if index 'foo' contains a field called 'count' and at least one event where count is 3.

In this case, the better approach is to create a single search over both days and bucket the results.

 source="tutorialdata.zip:*" host="ubuntu-js" source="tutorialdata.zip:./mailsv/secure.log" earliest="2/9/2019:00:00:00" latest="2/10/2019:23:59:59" 
| bucket span=1d _time
| timechart count as y
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-18-2019 01:53 PM

There are multiple ways to do it

*Best method (IMO) *
Single search fetches data for both time range and then count is calculated based on _time value compared with your static time range value.

source="tutorialdata.zip:*" host="ubuntu-js" source="tutorialdata.zip:./mailsv/secure.log" earliest="2/9/2019:00:00:00" latest="2/10/2019:23:59:59"
| eval x=if(_time>=strptime("2/9/2019:00:00:00","%m/%d/%Y:%H:%M:%S"), 1,0)
| eval y=if(_time<strptime("2/9/2019:00:00:00","%m/%d/%Y:%H:%M:%S"), 1,0)
| stats sum(x) as x sum(y) as y

Simplex looking search
Uses a subsearch to it has limitations and doesn't have optimal performance but easy to understand

source="tutorialdata.zip:*" host="ubuntu-js" source="tutorialdata.zip:./mailsv/secure.log" earliest="2/10/2019:00:00:00" latest="2/10/2019:23:59:59" | stats count as x 
| appendcols [search source="tutorialdata.zip:*" host="ubuntu-js" source="tutorialdata.zip:./mailsv/secure.log" earliest="2/9/2019:00:00:00" latest="2/9/2019:23:59:59" | stats count as y]
0 Karma
Reply
Solved! Jump to solution

tomapatan
Communicator
‎10-18-2023 01:13 AM

Hi @somesoni2 , I can`t really get the first search to work, how are the count calculations being performed ? x and y are not integers, so not sure how sum() is going to work ?

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...