Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Subsearch results display in different columns with same field by differenet timerange

rossikwan
Path Finder
‎12-22-2011 07:40 PM

sourcetype=xxx earliest=-1d@d latest=-0d@d | stats count by host | append [search earliest=-2d@d latest=-1d@d | stats count by host] | sort -count -host

The results displayed as below:

hostcount
hostA6080
hostA6182
hostB3023
hostB3238
...
...

And I would like the results displayed as below:

hostp1d_countp2d_count
hostA60806182
hostB30233238
...
...

Is there a simple way to make the results for easily read & presentable?
Thanks.

Rossi

Tags (3)
0 Karma
Reply

vipiao
New Member
‎12-25-2013 07:22 PM

sourcetype=xxx earliest=-1d@d latest=-0d@d | stats count by host | rename count as p1d_count | streamstats count as rownum | join rownum [search earliest=-2d@d latest=-1d@d | stats count by host | rename count as p2d_count | streamstats count as rownum] | fields - rownum

0 Karma
Reply

rossikwan
Path Finder
‎01-19-2012 12:42 AM

Works like a Charm, thanks 🙂

0 Karma
Reply

imrago
Contributor
‎12-23-2011 01:51 AM

Hi,

a solution could be something like this:

earliest=-2d@d latest=@d | eval Date=strftime(_time,"%Y-%m-%d")| chart count by host,Date

Reply

dwaddle
SplunkTrust
SplunkTrust
‎12-23-2011 10:17 AM

Yes, imgrago's solution is a good one. As long as the days you are dealing with are consecutive there is no value in the appended subsearch. You could alternately use the built-in date_wday or date_mday extractions instead of computing Date. A more general example of day-over-day that can be adapted to week-over-week or month-over-month is demonstrated in http://splunk-base.splunk.com/answers/2712/line-chart-comparing-yesterdays-result-with-todays-result...

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Heading to your first .Conf? You’re in for an unforgettable ride — learning, networking, swag collecting, ...

Raise Your Skills at the .conf25 Builder Bar: Your Splunk Developer Destination

Calling all Splunk developers, custom SPL builders, dashboarders, and Splunkbase app creators – the Builder ...

Hunt Smarter, Not Harder: Discover New SPL “Recipes” in Our Threat Hunting Webinar

Are you ready to take your threat hunting skills to the next level? As Splunk community members, you know the ...
Top