Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to count the number of events by types that oc...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to count the number of events by types that occurred during each period of time (for example, yesterday and the day before yesterday).
Tell me how to fix it:
… “EventType=4*” | eval dt1=EventType WHERE _time=relative_data(“-1d@d”, “0d@d”), dt2=EventType WHERE _time=relative_data(“-2d@d”, “-1d@d”) | stats count by EventCode | table EventCode dt1 dt2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you try the below,I think the below should work!!
basequery| eval time=strftime(_time, "%Y-%m-%d")| stats count by time,EventCode
And select the timerange for the last two days.
OR
basequery | bin _time span=1d | stats count by _time,EventCode
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This will not give the desired result.
Separately for each period I did, but I do not know how to combine these three requests into one.
3 days ago
... EventCode="" | WHERE _time >= relative_time(now(), "-2d@d") AND _time <= relative_time(now(), "-1d@d")| stats count by EventCode
2 days ago
... EventCode="" | WHERE _time >= relative_time(now(), "-1d@d") AND _time <= relative_time(now(), "-0d@d")| stats count by EventCode
1 days ago
... EventCode="*" | WHERE _time >= relative_time(now(), "-0d@d") AND _time <= now() | stats count by EventCode
or so
... EventCode="" earliest=-2d@d latest=-1d@d | stats count by EventCode | rename count as dt3
... EventCode="" earliest=-1d@d latest=-0d@d | stats count by EventCode | rename count as dt2
... EventCode="*" earliest=-0d@d | stats count by EventCode | rename count as dt1
I tried to connect, but it does not work correctly:
source="WinEventLog:Security" EventCode="" earliest=-2d@d latest=-1d@d | stats count by EventCode | rename count as dt3 | appendcols [ search source="WinEventLog:Security" EventCode="" earliest=-1d@d latest=-0d@d | stats count by EventCode | rename count as dt2] | appendcols [ search source="WinEventLog:Security" EventCode="*" earliest=-0d@d | stats count by EventCode | rename count as dt1]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you try the below,I think the below should work!!
basequery| eval time=strftime(_time, "%Y-%m-%d")| stats count by time,EventCode
And select the timerange for the last two days.
OR
basequery | bin _time span=1d | stats count by _time,EventCode
Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps
What’s New in Splunk Observability – September 2025
Fun with Regular Expression - multiples of nine
