Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

comparing two values of Today and Yesterday

abhayneilam
Contributor
‎04-03-2014 06:09 AM

Hi,

I have two searches , I want to compare one with other, one search should run for "Today" and other should run for "Yesterday", so I have used earliest=@d latest=now for "Today" and
earliest=-1d@d latest=@d for "Yesterday" data, but here is one catch that it is not good to compare the data in this case because "Yesterday" is having full last 24 hours data and "Today" is having only the data till when I am running the query ( lets say 10 hours data ) , If I execute "Today" query it will be 12 hours data comparing with 24 hours data ...

So, I want to make my query as such that it should compare today's 12 hours data with yesterday's 12 hours data.

Need your help in doing that !! Please suggest me some solution.

Thanks in advance !!

0 Karma
Reply

somesoni2
Revered Legend
‎04-03-2014 07:13 AM

Try something like this 

| multisearch [search index=_internal earliest=@d latest=now | eval day="Today"] 
[search index=_internal [search index=_internal earliest=@d latest=now | head 1  | addinfo | eval latest=info_max_time-86400 | eval earliest=info_min_time-86400 | table earliest, latest| format "" "" " " "" "" ""] | eval day="Yesterday"]...

This query can compare data from Today's hours (if ran at 04/03/2014 10:00 AM, then 04/03/2014 0:00 AM to 04/03/2014 10:00 AM) with exact same hour's from yesterday (04/02/2014 00:00 AM to 04/02/2014 10:00 AM).

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-03-2014 06:18 AM

You could use earliest=@d latest=@h for Today and earliest=-1d@d latest=-24h@h for Yesterday. Or earliest=@d latest=@m for Today and earliest=-1d@d latest=-1440m@m for Yesterday.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

MuS
Legend
‎04-03-2014 06:16 AM

Hi abhayneilam,

take a look at the timewrap app which will provide a new search command to do exactly those kind of time to time compares.

cheers, MuS

0 Karma
Reply

MuS
Legend
‎04-03-2014 06:44 AM

Thinking a bit about this request I came up with this run everywhere command:

index=_internal ealiest=-25h@h | stats count(date_hour) as hourly_count by date_hour, date_wday

this will count all events per hour in the last 25 hours and group them per hour per day. Just adapt it to your needs, like filter the date_hour you need.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...