Splunk Search

How to combine my two tstats searches?

abbam
Explorer

Hi,

Wondering if someone could help me here, I'm trying to join two tstats searches together.

I basically want to get a result 120 minutes ago and a result for the last 60 minutes based on hosts.

Here is the search:

| tstats summariesonly=t prestats=t count as old from datamodel=Web WHERE earliest=-120m latest=-60m by host | stats count as old by host | tstats summariesonly=t prestats=t append=t count as new from datamodel=Web WHERE earliest=-60m latest=now by host | stats count as new by host

Any idea why this doesn't work?

Thanks!

1 Solution

somesoni2
Revered Legend

Try like this

| tstats summariesonly=t prestats=t count from datamodel=Web WHERE earliest=-120m@m latest=@m by host _time span=1m | eval Period=if(_time>relative_time(now(),"-60m@m"),"New","Old") | chart sum(count) over host by Period

View solution in original post

somesoni2
Revered Legend

Try like this

| tstats summariesonly=t prestats=t count from datamodel=Web WHERE earliest=-120m@m latest=@m by host _time span=1m | eval Period=if(_time>relative_time(now(),"-60m@m"),"New","Old") | chart sum(count) over host by Period

abbam
Explorer

Thanks for that.

Afraid it doesn't work. sum(count) has no values, but I know there are numbers there because I can do it without using the datamodel.

0 Karma

MuS
Legend
0 Karma

abbam
Explorer

Managed to fix it by,

| tstats summariesonly=t prestats=t count from datamodel=Matin WHERE earliest=-120m@m latest=@m by host _time span=1m | eval Period=if(_time>relative_time(now(),"-60m@m"),"New","Old") | chart count over host by Period

Thanks!!!!!

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...