Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Subsearch results display in different columns with same field by differenet timerange

rossikwan
Path Finder
‎12-22-2011 07:40 PM

sourcetype=xxx earliest=-1d@d latest=-0d@d | stats count by host | append [search earliest=-2d@d latest=-1d@d | stats count by host] | sort -count -host

The results displayed as below:

hostcount
hostA6080
hostA6182
hostB3023
hostB3238
...
...

And I would like the results displayed as below:

hostp1d_countp2d_count
hostA60806182
hostB30233238
...
...

Is there a simple way to make the results for easily read & presentable?
Thanks.

Rossi

Tags (3)
0 Karma
Reply

vipiao
New Member
‎12-25-2013 07:22 PM

sourcetype=xxx earliest=-1d@d latest=-0d@d | stats count by host | rename count as p1d_count | streamstats count as rownum | join rownum [search earliest=-2d@d latest=-1d@d | stats count by host | rename count as p2d_count | streamstats count as rownum] | fields - rownum

0 Karma
Reply

rossikwan
Path Finder
‎01-19-2012 12:42 AM

Works like a Charm, thanks 🙂

0 Karma
Reply

imrago
Contributor
‎12-23-2011 01:51 AM

Hi,

a solution could be something like this:

earliest=-2d@d latest=@d | eval Date=strftime(_time,"%Y-%m-%d")| chart count by host,Date

Reply

dwaddle
SplunkTrust
SplunkTrust
‎12-23-2011 10:17 AM

Yes, imgrago's solution is a good one. As long as the days you are dealing with are consecutive there is no value in the appended subsearch. You could alternately use the built-in date_wday or date_mday extractions instead of computing Date. A more general example of day-over-day that can be adapted to week-over-week or month-over-month is demonstrated in http://splunk-base.splunk.com/answers/2712/line-chart-comparing-yesterdays-result-with-todays-result...

0 Karma
Reply
Get Updates on the Splunk Community!

Admin Your Splunk Cloud, Your Way

Join us to maximize different techniques to best tune Splunk Cloud. In this Tech Enablement, you will get ...

Cloud Platform | Discontinuing support for TLS version 1.0 and 1.1

Overview Transport Layer Security (TLS) is a security communications protocol that lets two computers, ...

New Customer Testimonials

Enterprises of all sizes and across different industries are accelerating cloud adoption by migrating ...