Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Not using chartTime or bucket -- I want this search to display the trend for daily, week and monthly in signal query

jw44250
New Member
‎09-15-2017 03:49 PM

Mongo Collection Data : -

Id : 1
StartDate : some date
EndDate : Some Date

    X :
    Foo : “foo1’
    Count : 10

Id : 2
StartDate : some date
EndDate : Some Date

X :
    Foo : “foo2’
    Count : 5

Id : 3
StartDate : some date
EndDate : Some Date

X :
    bar : “bar1’
    Count : 20
0 Karma
Reply

woodcock
Esteemed Legend
‎11-25-2017 11:41 AM

I do not understand the way that you have presented your data. I also do not understand the desire. It helps greatly if you present sample raw events and desired output mockup.

0 Karma
Reply

Sukisen1981
Champion
‎09-16-2017 12:22 AM

hi,

not clear what you want. but append cols will only work if you have values in all the fields that you are basing your append cols on.
for example:

| appendcols StatDate [search.....]
unless the start dates are common across all the sub searches you are using the appendcols will not work.

the mongodb JSON you are consuming for id1,2 & 3 are they in the same index?
Consider using stats command rather than append or join

0 Karma
Reply

jw44250
New Member
‎09-17-2017 02:52 PM

This is nearly what i m looking for

https://answers.splunk.com/answers/204291/use-of-count-by-date-in-metadata-typehosts.html

host 12/04/14 12/05/14 12/06/14 ...
A 5 10 ...
B 27 12 ...
C 48 40 ...
D 95 25 ...

0 Karma
Reply

jw44250
New Member
‎09-17-2017 02:16 PM

the mongodb JSON you are consuming for id1,2 & 3 are they in the same index? Yes.

I have "| appendcols StatDate [search.....] but my result is over the places.

I'm going to try below SPLunk Query
source="PS_VM_Config" VMCDMedia="True" earliest=-72h | stats count(VMName) AS ConnectedDays, Values(VCenter) AS VCenter BY VMName | where ConnectedDays > 2 | join [search source="PS_VM_Config" VMCDMedia="True" earliest=-24h] | table VMName VCenter

I am searching for word foo & bar on daily basis, weekly, monthly - and my output should be in
Daily Result
Monday
Foo appeared 1 times
Bar appreard 2

Tuseday
Foo appeared 1 times
Bar appreard 2

.............

Weekly
Foo appeared 10 times
Bar appreard 0

Week 1
Foo appeared 10 times
Bar appreard 0

Week 2
Bar appreard 50 Time0

Monthly Result
Foo appeared 10 times
Bar appreard 0

0 Karma
Reply

jw44250
New Member
‎09-15-2017 04:28 PM

i have used append Columns but by result is proprly displayed

StartDate EndDate Bar . count1 count2
someDate some date . 20

StartDate EndDate Bar . count1 count2
someDate some date . 0

0 Karma
Reply

jw44250
New Member
‎09-15-2017 04:31 PM

only same index

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...