Hi @inventsekar,

I tried on my Splunk and correctly worked.

Ciao.

Giuseppe

At least in some older versions of splunk only official way was use all time as search period with metasearch. With other periods result was or wasn’t exactly correct. I’m not sure if this UFs still valid or not. Unfortunately I couldn’t find where I have gotten this information and could evaluate it now.

@gcusello  I want the difference between pervious day count of the host and current day count of the host. I want comparison panel in my dashboard

Hi @uagraw01,

as I said, I don't know in deep your need, but you can use my approach.

so using a search like mine you can display the count of events of today and previous day so you can compare the two numbers.

If you want more help, you should share more infos, e.g.:

• what's you main search
• which count you want to compare (e.g. numer of hosts).

so if you want to display the diference in numer of logging hosts between today and yesterday, you could run something like this:

index=_internal earliest=-d@d latest=now
| eval day=if(date_year=strftime(now(),"%Y") AND date_month=lower(strftime(now(),"%B")) AND date_mday=strftime(now(),"%d"),"Today","Previous")
| stats dc(host) AS hosts BY day
| delta hosts AS diff
| table diff

Ciao.

Giuseppe

Ciao.

Giuseppe

@gcusello  Can you suggest me another method. I mean another SPL. Because this search is very slow while executing. 

@gcusello  It is working fine now . Thanks for yours extended help.

Hi @uagraw01,

good for you, please accept the answer for the other people of Community.

Ciao and happy splunking.

Giuseppe

 Below is "no result" i am getting. I need todays day count, previous day count and the difference between todays count and previous day count. From the above query as you suggested not getting any results.

Hi @uagraw01,

this is because you have only today's events!

enlarge your data frame and you'll have results.

Ciao.

Giuseppe