Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to run a same search with multiple time ranges and append the value compare them?

manojntr
Observer
‎05-18-2022 06:41 PM

Here is the example of the search looks like :

index=x* OR index=y* OR index=z* Iabcd 12_* ( earliest=05/09/2022:00:00:00 latest=05/09/2022:24:00:00 )| rex field=_raw "timerField:\d+:\d+:\d+:\d+ (?<xyzApi>\w+)" | fields +xyzApi test_filed_1test_filed_1 index
 | top xyzApi test_filed_1test_filed_1 index limit=20 | appendcols [ searchindex=x* OR index=y* OR index=z* Iabcd 12_* ( earliest=05/16/2022:00:00:00 latest=05/16/2022:24:00:00 ) || rex field=_raw "timerField:\d+:\d+:\d+:\d+ (?<xyzApi>\w+)" | fields +xyzApi test_filed_1test_filed_1 index
 | top xyzApi test_filed_1test_filed_1 index limit=20 ]

Ideally i want to run the search for 9th and 16 of this monday and get the count of each day and compare , I'm not able to divide the count for each day 

Labels (3)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-18-2022 11:29 PM

Both top commands are creating fields with the same names (count and percent) - rename these after the first top

index=x* OR index=y* OR index=z* Iabcd 12_* ( earliest=05/09/2022:00:00:00 latest=05/09/2022:24:00:00 )| rex field=_raw "timerField:\d+:\d+:\d+:\d+ (?<xyzApi>\w+)" | fields +xyzApi test_filed_1test_filed_1 index
 | top xyzApi test_filed_1test_filed_1 index limit=20 
| rename count as count09 percent as percent09
| appendcols [ searchindex=x* OR index=y* OR index=z* Iabcd 12_* ( earliest=05/16/2022:00:00:00 latest=05/16/2022:24:00:00 ) || rex field=_raw "timerField:\d+:\d+:\d+:\d+ (?<xyzApi>\w+)" | fields +xyzApi test_filed_1test_filed_1 index
 | top xyzApi test_filed_1test_filed_1 index limit=20 ]
0 Karma
Reply

manojntr
Observer
‎05-19-2022 09:31 AM

@ITWhisperer When i renamed the count and percent they are showing up as empty columns 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-19-2022 10:32 AM

What is the search you are using for this result?

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎05-18-2022 11:17 PM

Hi

have you look timewrap -command? I think that this can solve your issue. There are quite many answers about this which you could easily found by google.

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...