Splunk Search
Highlighted

How to edit my search to compare the count for Tuesday of the present week with Tuesday of the previous week?

Builder

Hello,

I am trying to compare the count for Tuesday of last week with Tuesday of this week. I am currently using the below search to compare the results:

index=d earliest=@w2 latest=now
| eval Period=if( _time

Tags (4)
0 Karma
Highlighted

Re: How to edit my search to compare the count for Tuesday of the present week with Tuesday of the previous week?

Splunk Employee
Splunk Employee

how about:

index=_internal earliest=-14d date_wday="tuesday"
| eval day=date_month." ".date_mday
| stats count by day

by putting the filtering for date_wday in the initial search, you won't retrieve any extraneous events

View solution in original post

Highlighted

Re: How to edit my search to compare the count for Tuesday of the present week with Tuesday of the previous week?

Builder

Thank You arobbins ,It worked with just a small change in my query

0 Karma
Highlighted

Re: How to edit my search to compare the count for Tuesday of the present week with Tuesday of the previous week?

Esteemed Legend

You need the timewrap app:

https://splunkbase.splunk.com/app/1645/

0 Karma
Highlighted

Re: How to edit my search to compare the count for Tuesday of the present week with Tuesday of the previous week?

SplunkTrust
SplunkTrust

Give this a try (check the rex messages)

index=d " earliest=-14d date_wday=Tuesday
| eval day=if(_time>relative_time(now(),"-7d"),"ThisWeek","LastWeek")
 | rex field=EWS_MESSAGE_QUALIFIER "(?\w+)" | rex field=ews_transaction_log.ews_message_qualifier "(?\w+)" 
 | chart count by MESSAGE_TYPE,day

If date_wday is not already present

index=d " earliest=-14d@d | where strftime(_time,"%a")="Tue"     | eval day=if(_time>relative_time(now(),"-7d"),"ThisWeek","LastWeek")
 | rex field=EWS_MESSAGE_QUALIFIER "(?\w+)" | rex field=ews_transaction_log.ews_message_qualifier "(?\w+)" 
 | chart count by MESSAGE_TYPE,day
Highlighted

Re: How to edit my search to compare the count for Tuesday of the present week with Tuesday of the previous week?

Builder

It worked thanks a lot,but please explain me

what will this below search does

eval day=if(time>relativetime(now(),"-7d")

0 Karma
Highlighted

Re: How to edit my search to compare the count for Tuesday of the present week with Tuesday of the previous week?

SplunkTrust
SplunkTrust

This is differentiating between two Tuesday that you'll get in the results. If the timestamp of the events is within last 7 days they are from the Tuesday just passed. If you run the query on or after Wednesday it'll give Tuesday of current week else it will give Tuesday of last week.

0 Karma