Splunk Search

Subsearch results display in different columns with same field by differenet timerange

rossikwan
Path Finder

sourcetype=xxx earliest=-1d@d latest=-0d@d | stats count by host | append [search earliest=-2d@d latest=-1d@d | stats count by host] | sort -count -host


The results displayed as below:

hostcount
hostA6080
hostA6182
hostB3023
hostB3238
...
...

And I would like the results displayed as below:

hostp1d_countp2d_count
hostA60806182
hostB30233238
...
...

Is there a simple way to make the results for easily read & presentable?
Thanks.

Rossi

Tags (3)
0 Karma

vipiao
New Member

sourcetype=xxx earliest=-1d@d latest=-0d@d | stats count by host | rename count as p1d_count | streamstats count as rownum | join rownum [search earliest=-2d@d latest=-1d@d | stats count by host | rename count as p2d_count | streamstats count as rownum] | fields - rownum

0 Karma

rossikwan
Path Finder

Works like a Charm, thanks 🙂

0 Karma

imrago
Contributor

Hi,

a solution could be something like this:

earliest=-2d@d latest=@d | eval Date=strftime(_time,"%Y-%m-%d")| chart count by host,Date

dwaddle
SplunkTrust
SplunkTrust

Yes, imgrago's solution is a good one. As long as the days you are dealing with are consecutive there is no value in the appended subsearch. You could alternately use the built-in date_wday or date_mday extractions instead of computing Date. A more general example of day-over-day that can be adapted to week-over-week or month-over-month is demonstrated in http://splunk-base.splunk.com/answers/2712/line-chart-comparing-yesterdays-result-with-todays-result...

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...