Splunk Search

How to edit my search to add row header labels to the table of results?

vivekb
New Member

I have created following Splunk search:

host=xyz* index=my_index NOT(bot) earliest=-1d@d latest=-0d@d | eval searchid="Today" | stats count(eval(searchmatch("Exception"))) as Exceptions count(eval(searchmatch("Error"))) as Errors count(eval(searchmatch("404"))) as 404 | append [ search index=my_index host=pdap* index=os_web NOT(bot) earliest=-2d@d latest=-1d@d |eval searchid="Yesterday" | stats count(eval(searchmatch("Exception"))) as Exceptions count(eval(searchmatch("Error"))) as Errors count(eval(searchmatch("404"))) as 404]

Following is the result:

Exceptions              Errors             404
58                      95                 49
59                      135               94

My Question is: How do I add row labels like Today for first row and Yesterday for second row?

0 Karma
1 Solution

sundareshr
Legend

Try this

host=xyz* index=my_index NOT(bot) earliest=-2d@d latest=-0d@d 
| eval searchid=if(_time<relative_time(now(), "-1d@d"), "Today", "Yesterday")
| stats count(eval(searchmatch("Exception"))) as Exceptions count(eval(searchmatch("Error"))) as Errors count(eval(searchmatch("404"))) as 404 by searchid

View solution in original post

ppablo
Retired

Hi @vivekb

Don't forget to resolve your question by clicking "Accept" below the answer you decided to go with!

Patrick

0 Karma

vivekb
New Member

Done. Thanks Patrick!

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

You can combine this into a single search, but the important part is the by clause.

As you have it written:

 host=xyz* index=my_index NOT(bot) earliest=-1d@d latest=-0d@d | eval searchid="Today" | stats count(eval(searchmatch("Exception"))) as Exceptions count(eval(searchmatch("Error"))) as Errors count(eval(searchmatch("404"))) as 404 by searchid | append [ search index=my_index host=pdap* index=os_web NOT(bot) earliest=-2d@d latest=-1d@d |eval searchid="Yesterday" | stats count(eval(searchmatch("Exception"))) as Exceptions count(eval(searchmatch("Error"))) as Errors count(eval(searchmatch("404"))) as 404 by searchid]

As I would write it combined:

index=my_index host=pdap* index=os_web NOT(bot) earliest=-2d@d  latest=-0d@d |eval searchid=if(_time>relative_time(now(),"-1d@d"),"Today", "Yesterday")| stats count(eval(searchmatch("Exception"))) as Exceptions count(eval(searchmatch("Error"))) as Errors count(eval(searchmatch("404"))) as 404 by searchid

vivekb
New Member

Thanks much. Perfect answer similar to what @sundareshr has posted. Since I can accept only one answer, I picked the first one. Thanks again.

0 Karma

sundareshr
Legend

Try this

host=xyz* index=my_index NOT(bot) earliest=-2d@d latest=-0d@d 
| eval searchid=if(_time<relative_time(now(), "-1d@d"), "Today", "Yesterday")
| stats count(eval(searchmatch("Exception"))) as Exceptions count(eval(searchmatch("Error"))) as Errors count(eval(searchmatch("404"))) as 404 by searchid

vivekb
New Member

Thanks a bunch. Saved my day.

0 Karma

vivekb
New Member

Thanks again. @sundeshOne extension to the query - Since relative_time function accepts two arguments -
How do I extrapolate to last 7 days?

E.g.
Today
Yesterday
2 Days Prior
3 Days Prior

Thanks.

0 Karma

sundareshr
Legend

You could do searchid=round((now()-_time)/86400, 0)." days"

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...