Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Subsearching within time frame

barakb
Engager
‎10-25-2020 03:55 PM

Hi everyone,

I'm new to Splunk. I've got this search query:

host="..." earliest=-30d latest=now | stats distinct_count(v_id) AS v_id count(eval(req_type="[POST])) AS req_type by host | eval ratio =v_id/req_type

What I want to get a table with v_id and req_type of the earlier week and of the current week (currently I get only for the whole month). Moreover, if there is a better, easier to do this, please also share. Thanks!

Labels (2)
Labels
0 Karma
Reply

barakb
Engager
‎10-26-2020 03:55 AM

Yes! that what I was looking for! Thanks! @ITWhisperer , another question, see the screenshot I've attached, say I want to have the results as another 2 columns (e.g pastVisits and pastFinishedVisits). Taking visits for example, 'pastVisits' would represent visit that have happened 30 to 15 days ago, and 'visits' represents visits that have happened15 days ago until current day. How do I do that?Screen Shot 2020-10-26 at 12.38.24.png

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-26-2020 04:20 AM 
host="..." earliest=-30d latest=now 
| bin span=15d _time
| stats distinct_count(v_id) AS visits count(eval(req_type="[POST])) AS finishedVisits by host _time
| eval ratio=visits/finishedVisits
| autoregress visits AS pastVisits p=1
| autoregress finishedVisits AS pastFinishedVisits p=1
| autoregress host AS sameHost p=1
| where host=sameHost
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-25-2020 04:14 PM 
host="..." earliest=-30d latest=now 
| bin span=7d _time
| stats distinct_count(v_id) AS v_id count(eval(req_type="[POST])) AS req_type by host _time
| eval ratio =v_id/req_type

Setting the span to 7 days will bin from the earliest and given the 30 does not divide by 7 exactly, your latest bin will only contain counts for 2 days (which might not be what you want). Either change earliest to -28d@d or latest  to -2d@d

Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...