Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to use two queries in one?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to use two queries in one?
Hello,
Today i have this query in my dashboard :
| loadjob savedsearch="myquery"
|eval FromDate = "2020-01-23"
|eval ToDate = "2020-01-23"
| eval ToDateexpir = strptime("2020-01-23", "%Y-%m-%d")
| eval expiring = ToDate + 86400*4
| eval expiring = strftime(expiring, "%Y-%m-%d")
| where (strftime(_time, "%Y-%m-%d") >= FromDate) AND (strftime(_time, "%Y-%m-%d") <= ToDate)
| stats count(eval(if(MESSAGE="show",STEP,NULL))) AS showed,
count(eval(if(MESSAGE="send",STEP,NULL))) AS sent,
count(eval(if(MESSAGE="delete",STEP,NULL))) AS deleted by client |where showed>0
|stats sum(showed) AS showed,sum(sent) AS sent,sum(deleted) AS deleted
| eval AVG= round(((showed - (sent+deleted))/showed*100),2)." %"
I want to keep the same query and logic, but for the calculation of the fields "sent" i want it to be from "FromDate" to "expiring"
Thank you 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| where (strftime(_time, "%Y-%m-%d") >= FromDate) AND (strftime(_time, "%Y-%m-%d") <= ToDate)
Is this query really work?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| loadjob savedsearch="myquery"
|eval FromDate = "2020-01-23"
|eval ToDate = "2020-01-23"
| eval ToDateexpir = strptime("2020-01-23", "%Y-%m-%d")
| eval expiring = ToDate + 86400*4
| eval expiring = strftime(expiring, "%Y-%m-%d")
| where (strftime(_time, "%Y-%m-%d") >= FromDate) AND (strftime(_time, "%Y-%m-%d") <= ToDate)
| stats count(eval(if(MESSAGE="show",STEP,NULL))) AS showed,
count(eval(if(MESSAGE="send",STEP,NULL))) AS sent,
count(eval(if(MESSAGE="delete",STEP,NULL))) AS deleted by client |where showed>0
|stats sum(showed) AS showed,sum(sent) AS sent,sum(deleted) AS deleted
| eval AVG= round(((showed - (sent+deleted))/showed*100),2)." %"
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
