Subsearch results display in different columns wit...

rossikwan · ‎12-22-2011

sourcetype=xxx earliest=-1d@d latest=-0d@d | stats count by host | append [search earliest=-2d@d latest=-1d@d | stats count by host] | sort -count -host

The results displayed as below:

host	count
hostA	6080
hostA	6182
hostB	3023
hostB	3238
...
...

And I would like the results displayed as below:

host	p1d_count	p2d_count
hostA	6080	6182
hostB	3023	3238
...
...

Is there a simple way to make the results for easily read & presentable?
Thanks.

Rossi

vipiao · ‎12-25-2013

rossikwan · ‎01-19-2012

Works like a Charm, thanks 🙂

imrago · ‎12-23-2011

Hi,

a solution could be something like this:

earliest=-2d@d latest=@d | eval Date=strftime(_time,"%Y-%m-%d")| chart count by host,Date

dwaddle · ‎12-23-2011

Yes, imgrago's solution is a good one. As long as the days you are dealing with are consecutive there is no value in the appended subsearch. You could alternately use the built-in date_wday or date_mday extractions instead of computing Date. A more general example of day-over-day that can be adapted to week-over-week or month-over-month is demonstrated in http://splunk-base.splunk.com/answers/2712/line-chart-comparing-yesterdays-result-with-todays-result...