Solved: day by day comparison

fwd4 · ‎07-11-2011

I'm trying to build a graph in Splunk to provide a day-by-day comparison of particular response codes.

For example I currently monitor the last 24 hours of logs looking for a string D101 (resp_code="D101") and graph it in a timechart. What I would like to do is run a second query for the same D101 message but from the previous 24hours - then end result being a graph with 2 lines showing me today against yesterday.

resp_code="D101" latest=now earliest=-24h | timechart count by resp_code | appendcols [resp_code="D101" latest=-24h earliest=-48h | timechart count by resp_code]

I think I need to be looking in or around the appendcols function but I'm receiving the below error, it's obviously not parsing what I've written in the way I'd hope:

"Search operation 'resp' is unknown. You might not have permission to run this operation."

Am I barking up the wrong tree with appendcols, should I be doing this a different way?

JYTTEJ · ‎07-11-2011

You need to add the search command: [search resp_code....

View solution in original post

JYTTEJ · ‎07-11-2011

You need to add the search command: [search resp_code....

fwd4 · ‎07-11-2011

great much appreciated!

day by day comparison

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation

day by day comparison

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...