Splunk Search

How to edit my search to add row header labels to the table of results?

vivekb
New Member

I have created following Splunk search:

host=xyz* index=my_index NOT(bot) earliest=-1d@d latest=-0d@d | eval searchid="Today" | stats count(eval(searchmatch("Exception"))) as Exceptions count(eval(searchmatch("Error"))) as Errors count(eval(searchmatch("404"))) as 404 | append [ search index=my_index host=pdap* index=os_web NOT(bot) earliest=-2d@d latest=-1d@d |eval searchid="Yesterday" | stats count(eval(searchmatch("Exception"))) as Exceptions count(eval(searchmatch("Error"))) as Errors count(eval(searchmatch("404"))) as 404]

Following is the result:

Exceptions              Errors             404
58                      95                 49
59                      135               94

My Question is: How do I add row labels like Today for first row and Yesterday for second row?

0 Karma
1 Solution

sundareshr
Legend

Try this

host=xyz* index=my_index NOT(bot) earliest=-2d@d latest=-0d@d 
| eval searchid=if(_time<relative_time(now(), "-1d@d"), "Today", "Yesterday")
| stats count(eval(searchmatch("Exception"))) as Exceptions count(eval(searchmatch("Error"))) as Errors count(eval(searchmatch("404"))) as 404 by searchid

View solution in original post

ppablo
Retired

Hi @vivekb

Don't forget to resolve your question by clicking "Accept" below the answer you decided to go with!

Patrick

0 Karma

vivekb
New Member

Done. Thanks Patrick!

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

You can combine this into a single search, but the important part is the by clause.

As you have it written:

 host=xyz* index=my_index NOT(bot) earliest=-1d@d latest=-0d@d | eval searchid="Today" | stats count(eval(searchmatch("Exception"))) as Exceptions count(eval(searchmatch("Error"))) as Errors count(eval(searchmatch("404"))) as 404 by searchid | append [ search index=my_index host=pdap* index=os_web NOT(bot) earliest=-2d@d latest=-1d@d |eval searchid="Yesterday" | stats count(eval(searchmatch("Exception"))) as Exceptions count(eval(searchmatch("Error"))) as Errors count(eval(searchmatch("404"))) as 404 by searchid]

As I would write it combined:

index=my_index host=pdap* index=os_web NOT(bot) earliest=-2d@d  latest=-0d@d |eval searchid=if(_time>relative_time(now(),"-1d@d"),"Today", "Yesterday")| stats count(eval(searchmatch("Exception"))) as Exceptions count(eval(searchmatch("Error"))) as Errors count(eval(searchmatch("404"))) as 404 by searchid

vivekb
New Member

Thanks much. Perfect answer similar to what @sundareshr has posted. Since I can accept only one answer, I picked the first one. Thanks again.

0 Karma

sundareshr
Legend

Try this

host=xyz* index=my_index NOT(bot) earliest=-2d@d latest=-0d@d 
| eval searchid=if(_time<relative_time(now(), "-1d@d"), "Today", "Yesterday")
| stats count(eval(searchmatch("Exception"))) as Exceptions count(eval(searchmatch("Error"))) as Errors count(eval(searchmatch("404"))) as 404 by searchid

vivekb
New Member

Thanks a bunch. Saved my day.

0 Karma

vivekb
New Member

Thanks again. @sundeshOne extension to the query - Since relative_time function accepts two arguments -
How do I extrapolate to last 7 days?

E.g.
Today
Yesterday
2 Days Prior
3 Days Prior

Thanks.

0 Karma

sundareshr
Legend

You could do searchid=round((now()-_time)/86400, 0)." days"

0 Karma
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...