Splunk Search

How to do stats count for different day?

rick1168
Engager

| stats count by field1 field1 field2 field3 only show yesterday count,  how can I  show count1 for yesterday, count2 for 2-day ago, count3 for 3-day ago,

shown as following

field1   field2 field3 count1 count2 coun3

Labels (1)
Tags (2)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
| bin _time span=1d
| stats count by _time field1 field2 field3
| eventstats values(_time) as dates
| eval day=mvfind(dates, _time)+1
| eval count{day} = count
| fields - count dates day _time
| stats values(*) as * by field1 field2 field3

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| bin _time span=1d
| stats count by _time field1 field2 field3
| eventstats values(_time) as dates
| eval day=mvfind(dates, _time)+1
| eval count{day} = count
| fields - count dates day _time
| stats values(*) as * by field1 field2 field3
0 Karma

rick1168
Engager

它有效. thanks

0 Karma

bowesmana
SplunkTrust
SplunkTrust
your search
| bin _time span=1d
| stats count by _time field1 field2 field3

also you will need your time range window to cover the time range you are interested in

The timechart  command may also be useful

0 Karma

rick1168
Engager

Could timechart multiple fields and time window in column?

0 Karma

bowesmana
SplunkTrust
SplunkTrust

No timechart is only a single split field, but I mentioned it in case it was relevant.

The stats command with _time and the bin command should do the trick for you.

0 Karma
Get Updates on the Splunk Community!

Operationalizing TDIR: Building a More Resilient, Scalable SOC

Optimizing SOC workflows with a unified, risk-based approach to Threat Detection, Investigation, and Response ...

Almost Too Eventful Assurance: Part 1

Modern IT and Network teams still struggle with too many alerts and isolating issues before they are notified. ...

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...