Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to calculate distinct count for present values and 7 days ago values for a given field?

POR160893
Builder
‎06-08-2023 04:26 AM

Hi,

My initial Splunk query was:
index="ABC" sourcetype="DEF"
| stats dc(fruit) AS "Fruits" by Diet
| sort -"Fruits"

However, I need to add a new field "Fruits 7 days ago" which finds the distinct count of "fruit" by "Diet". My current query is as follows:

index="ABC" sourcetype="DEF"
| stats dc(fruit) AS "Fruits" by Diet
|append [search earliest=-1w@w latest=@w
index="ABC" sourcetype="DEF"
| stats dc(fruit) AS "Fruits 7 days ago" by Diet ]
| sort -"Fruits", "Fruits 7 days ago"


Can you please help as I should be getting 3 outputted fields: "Diet", "Fruits", "Fruits 7 days ago" BUT I am still only getting  "Diet" and "Fruits".

Can you please help?


Many thanks!


Labels (5)
Labels
0 Karma
Reply
Get Updates on the Splunk Community!

There's No Place Like Chrome and the Splunk Platform

Watch On DemandMalware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

The Great Resilience Quest: 5th Leaderboard Update

The fifth leaderboard update for The Great Resilience Quest is out >> 🏆 Check out the ...

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...