Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Subsearch results display in different columns with same field by differenet timerange

rossikwan
Path Finder
‎12-22-2011 07:40 PM

sourcetype=xxx earliest=-1d@d latest=-0d@d | stats count by host | append [search earliest=-2d@d latest=-1d@d | stats count by host] | sort -count -host

The results displayed as below:

hostcount
hostA6080
hostA6182
hostB3023
hostB3238
...
...

And I would like the results displayed as below:

hostp1d_countp2d_count
hostA60806182
hostB30233238
...
...

Is there a simple way to make the results for easily read & presentable?
Thanks.

Rossi

Tags (3)
0 Karma
Reply

vipiao
New Member
‎12-25-2013 07:22 PM

sourcetype=xxx earliest=-1d@d latest=-0d@d | stats count by host | rename count as p1d_count | streamstats count as rownum | join rownum [search earliest=-2d@d latest=-1d@d | stats count by host | rename count as p2d_count | streamstats count as rownum] | fields - rownum

0 Karma
Reply

rossikwan
Path Finder
‎01-19-2012 12:42 AM

Works like a Charm, thanks 🙂

0 Karma
Reply

imrago
Contributor
‎12-23-2011 01:51 AM

Hi,

a solution could be something like this:

earliest=-2d@d latest=@d | eval Date=strftime(_time,"%Y-%m-%d")| chart count by host,Date

Reply

dwaddle
SplunkTrust
SplunkTrust
‎12-23-2011 10:17 AM

Yes, imgrago's solution is a good one. As long as the days you are dealing with are consecutive there is no value in the appended subsearch. You could alternately use the built-in date_wday or date_mday extractions instead of computing Date. A more general example of day-over-day that can be adapted to week-over-week or month-over-month is demonstrated in http://splunk-base.splunk.com/answers/2712/line-chart-comparing-yesterdays-result-with-todays-result...

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...