Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Subsearching within time frame

barakb
Engager
‎10-25-2020 03:55 PM

Hi everyone,

I'm new to Splunk. I've got this search query:

host="..." earliest=-30d latest=now | stats distinct_count(v_id) AS v_id count(eval(req_type="[POST])) AS req_type by host | eval ratio =v_id/req_type

What I want to get a table with v_id and req_type of the earlier week and of the current week (currently I get only for the whole month). Moreover, if there is a better, easier to do this, please also share. Thanks!

Labels (2)
Labels
0 Karma
Reply

barakb
Engager
‎10-26-2020 03:55 AM

Yes! that what I was looking for! Thanks! @ITWhisperer , another question, see the screenshot I've attached, say I want to have the results as another 2 columns (e.g pastVisits and pastFinishedVisits). Taking visits for example, 'pastVisits' would represent visit that have happened 30 to 15 days ago, and 'visits' represents visits that have happened15 days ago until current day. How do I do that?Screen Shot 2020-10-26 at 12.38.24.png

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-26-2020 04:20 AM 
host="..." earliest=-30d latest=now 
| bin span=15d _time
| stats distinct_count(v_id) AS visits count(eval(req_type="[POST])) AS finishedVisits by host _time
| eval ratio=visits/finishedVisits
| autoregress visits AS pastVisits p=1
| autoregress finishedVisits AS pastFinishedVisits p=1
| autoregress host AS sameHost p=1
| where host=sameHost
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-25-2020 04:14 PM 
host="..." earliest=-30d latest=now 
| bin span=7d _time
| stats distinct_count(v_id) AS v_id count(eval(req_type="[POST])) AS req_type by host _time
| eval ratio =v_id/req_type

Setting the span to 7 days will bin from the earliest and given the 30 does not divide by 7 exactly, your latest bin will only contain counts for 2 days (which might not be what you want). Either change earliest to -28d@d or latest  to -2d@d

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...