Splunk Search

How to edit my search to compare the count for Tuesday of the present week with Tuesday of the previous week?

vrmandadi
Builder

Hello,

I am trying to compare the count for Tuesday of last week with Tuesday of this week. I am currently using the below search to compare the results:

index=d earliest=@w2 latest=now
| eval Period=if( _time

Tags (4)
0 Karma
1 Solution

arobbins_splunk
Splunk Employee
Splunk Employee

how about:

index=_internal earliest=-14d date_wday="tuesday"
| eval day=date_month." ".date_mday
| stats count by day

by putting the filtering for date_wday in the initial search, you won't retrieve any extraneous events

View solution in original post

somesoni2
Revered Legend

Give this a try (check the rex messages)

index=d " earliest=-14d date_wday=Tuesday
| eval day=if(_time>relative_time(now(),"-7d"),"ThisWeek","LastWeek")
 | rex field=EWS_MESSAGE_QUALIFIER "(?\w+)" | rex field=ews_transaction_log.ews_message_qualifier "(?\w+)" 
 | chart count by MESSAGE_TYPE,day

If date_wday is not already present

index=d " earliest=-14d@d | where strftime(_time,"%a")="Tue"     | eval day=if(_time>relative_time(now(),"-7d"),"ThisWeek","LastWeek")
 | rex field=EWS_MESSAGE_QUALIFIER "(?\w+)" | rex field=ews_transaction_log.ews_message_qualifier "(?\w+)" 
 | chart count by MESSAGE_TYPE,day

vrmandadi
Builder

It worked thanks a lot,but please explain me

what will this below search does

eval day=if(_time>relative_time(now(),"-7d")

0 Karma

somesoni2
Revered Legend

This is differentiating between two Tuesday that you'll get in the results. If the timestamp of the events is within last 7 days they are from the Tuesday just passed. If you run the query on or after Wednesday it'll give Tuesday of current week else it will give Tuesday of last week.

0 Karma

woodcock
Esteemed Legend

You need the timewrap app:

https://splunkbase.splunk.com/app/1645/

0 Karma

arobbins_splunk
Splunk Employee
Splunk Employee

how about:

index=_internal earliest=-14d date_wday="tuesday"
| eval day=date_month." ".date_mday
| stats count by day

by putting the filtering for date_wday in the initial search, you won't retrieve any extraneous events

View solution in original post

vrmandadi
Builder

Thank You arobbins ,It worked with just a small change in my query

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!