Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to edit my search to get new errors from t...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you please help with the following search? It returns 0 events. I want all the errors that occurred today, and not in last 7days
sourcetype="xx" source="err.log" error earliest=-1d@d
| stats count AS thisweek by _Error
| appendcols [ search source="err.log" error earliest=-7d@d latest=-1d@d
| stats count AS lastweek by _Error]
| where !isnum(lastweek)
| table thisweek lastweek _Error
Thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I wouldn't use appendcols for a start. Use append instead, and a final stats to combine the two
sourcetype="xx" source="err.log" error earliest=-1d@d
| stats count AS thisweek by _Error
| append [ search source="err.log" error earliest=-7d@d latest=-1d@d
| stats count AS lastweek by _Error]
| stats first(*) as * by _Error
| where thisweek > 0 and lastweek = 0
You could also do this with no sub-searches at all, which may be necessary if you are working with very large data sets:
sourcetype="xx" source="err.log" error earliest=-7d@d
| eval category = if(_time < relative_time(now(),"-1d@d"),"last week","this week")
| stats count(eval(category=="this week")) AS thisweek count(eval(category=="last week")) AS lastweek by _Error
| where thisweek > 0 and lastweek = 0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I wouldn't use appendcols for a start. Use append instead, and a final stats to combine the two
sourcetype="xx" source="err.log" error earliest=-1d@d
| stats count AS thisweek by _Error
| append [ search source="err.log" error earliest=-7d@d latest=-1d@d
| stats count AS lastweek by _Error]
| stats first(*) as * by _Error
| where thisweek > 0 and lastweek = 0
You could also do this with no sub-searches at all, which may be necessary if you are working with very large data sets:
sourcetype="xx" source="err.log" error earliest=-7d@d
| eval category = if(_time < relative_time(now(),"-1d@d"),"last week","this week")
| stats count(eval(category=="this week")) AS thisweek count(eval(category=="last week")) AS lastweek by _Error
| where thisweek > 0 and lastweek = 0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you Iguinn!, I tried both of the search queries you recommended, but still get No results found.
The original search I posted, returns results if the lastweek query is within last 2 days, but for 7days it almost seems like finalizing results and returns no results
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I used your query with no subsearches replaced or with following and it worked!!
Thank you very much, really appreciate your help!!
| table thisweek lastweek _Error
|where lastweek = 0
Building Reliable Asset and Identity Frameworks in Splunk ES
Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting
Automatic Discovery Part 3: Practical Use Cases
