Splunk Search
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Today date and previous day data

uagraw01
Motivator
‎10-19-2020 07:46 AM

I want to calculate todays date data and previous day data from the host. Please suggest SPL for this.

Labels (1)
Labels
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-20-2020 10:55 AM

Hi @uagraw01,

if in yyour search you can use only the index time fields (index, sourcetyoe, source and host) you can use "|metasearch", having someting like this:

| metasearch index=_internal earliest=-d@d latest=now
| eval date_year=strftime(_time,"%Y"), date_month=strftime(_time,"%B"),date_mday=strftime(_time,"%d")
| eval now_date_year=strftime(now(),"%Y"), now_date_month=strftime(now(),"%B"),now_date_mday=strftime(now(),"%d")
| eval day=if(date_year=now_date_year AND date_month=now_date_month AND date_mday=now_date_mday,"Today","Previous")
| stats count BY day
| delta count AS diff
| reverse
| table diff
| head 1

Ciao.

 Giuseppe

View solution in original post

Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎10-19-2020 08:41 AM

hi @uagraw01 just curious - earliest and latest variables are ok or not ok?

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-20-2020 11:28 PM

Hi @inventsekar,

I tried on my Splunk and correctly worked.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎10-20-2020 01:15 PM
At least in some older versions of splunk only official way was use all time as search period with metasearch. With other periods result was or wasn’t exactly correct. I’m not sure if this UFs still valid or not. Unfortunately I couldn’t find where I have gotten this information and could evaluate it now.
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-19-2020 08:09 AM

Hi @uagraw01,

see if this example solves your need:

index=_internal
| eval day=if(date_year=strftime(now(),"%Y") AND date_month=lower(strftime(now(),"%B")) AND date_mday=strftime(now(),"%d"),"Today","Previous")
| stats count BY day

Ciao.

Giuseppe

Reply
Solved! Jump to solution

uagraw01
Motivator
‎10-20-2020 07:27 AM

@gcusello  I want the difference between pervious day count of the host and current day count of the host. I want comparison panel in my dashboard

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-20-2020 07:38 AM

Hi @uagraw01,

as I said, I don't know in deep your need, but you can use my approach.

so using a search like mine you can display the count of events of today and previous day so you can compare the two numbers.

If you want more help, you should share more infos, e.g.:

  • what's you main search
  • which count you want to compare (e.g. numer of hosts).

so if you want to display the diference in numer of logging hosts between today and yesterday, you could run something like this:

index=_internal earliest=-d@d latest=now
| eval day=if(date_year=strftime(now(),"%Y") AND date_month=lower(strftime(now(),"%B")) AND date_mday=strftime(now(),"%d"),"Today","Previous")
| stats dc(host) AS hosts BY day
| delta hosts AS diff
| table diff

Ciao.

Giuseppe

Ciao.

Giuseppe

Reply
Solved! Jump to solution

uagraw01
Motivator
‎10-20-2020 09:02 AM

@gcusello  Can you suggest me another method. I mean another SPL. Because this search is very slow while executing. 

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-20-2020 10:55 AM

Hi @uagraw01,

if in yyour search you can use only the index time fields (index, sourcetyoe, source and host) you can use "|metasearch", having someting like this:

| metasearch index=_internal earliest=-d@d latest=now
| eval date_year=strftime(_time,"%Y"), date_month=strftime(_time,"%B"),date_mday=strftime(_time,"%d")
| eval now_date_year=strftime(now(),"%Y"), now_date_month=strftime(now(),"%B"),now_date_mday=strftime(now(),"%d")
| eval day=if(date_year=now_date_year AND date_month=now_date_month AND date_mday=now_date_mday,"Today","Previous")
| stats count BY day
| delta count AS diff
| reverse
| table diff
| head 1

Ciao.

 Giuseppe

Reply
Solved! Jump to solution

uagraw01
Motivator
‎10-20-2020 11:39 PM

@gcusello  It is working fine now . Thanks for yours extended help.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-21-2020 12:37 AM

Hi @uagraw01,

good for you, please accept the answer for the other people of Community.

Ciao and happy splunking.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

uagraw01
Motivator
‎10-20-2020 07:56 AM

 Below is "no result" i am getting. I need todays day count, previous day count and the difference between todays count and previous day count. From the above query as you suggested not getting any results.

IMG_20201020_202435.jpg

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-20-2020 07:59 AM

Hi @uagraw01,

this is because you have only today's events!

enlarge your data frame and you'll have results.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...
Top