Splunk Search

Subsearching within time frame

barakb
Engager

Hi everyone,

I'm new to Splunk. I've got this search query:

host="..." earliest=-30d latest=now | stats distinct_count(v_id) AS v_id count(eval(req_type="[POST])) AS req_type by host | eval ratio =v_id/req_type

What I want to get a table with v_id and req_type of the earlier week and of the current week (currently I get only for the whole month). Moreover, if there is a better, easier to do this, please also share. Thanks!

Labels (2)
0 Karma

barakb
Engager

Yes! that what I was looking for! Thanks! @ITWhisperer , another question, see the screenshot I've attached, say I want to have the results as another 2 columns (e.g pastVisits and pastFinishedVisits). Taking visits for example, 'pastVisits' would represent visit that have happened 30 to 15 days ago, and 'visits' represents visits that have happened15 days ago until current day. How do I do that?Screen Shot 2020-10-26 at 12.38.24.png

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
host="..." earliest=-30d latest=now 
| bin span=15d _time
| stats distinct_count(v_id) AS visits count(eval(req_type="[POST])) AS finishedVisits by host _time
| eval ratio=visits/finishedVisits
| autoregress visits AS pastVisits p=1
| autoregress finishedVisits AS pastFinishedVisits p=1
| autoregress host AS sameHost p=1
| where host=sameHost
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
host="..." earliest=-30d latest=now 
| bin span=7d _time
| stats distinct_count(v_id) AS v_id count(eval(req_type="[POST])) AS req_type by host _time
| eval ratio =v_id/req_type

Setting the span to 7 days will bin from the earliest and given the 30 does not divide by 7 exactly, your latest bin will only contain counts for 2 days (which might not be what you want). Either change earliest to -28d@d or latest  to -2d@d

Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...