Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

show unique values from yesterday

splunkapprentic
Explorer
‎09-21-2016 12:58 AM

Hello, please help!
I want to display only the unique names from yesterday that are not in today's list

Initial search:

Date Name Value
09/18/2016 ABC 2
09/18/2016 XYZ 9
09/18/2016 EFG 8
09/19/2016 ABC 3

Final search:

Date Name Value
09/18/2016 XYZ 9
09/18/2016 EFG 8

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎09-21-2016 05:36 AM

Try this

index=xyz  earliest=-1d@d | eval Date=strftime(_time, "%m/%d/%Y") | eval when=if(_time>relative_time(now(), "@d"), "Today", "Yesterday") | dedup Name Date | eval Value=Value."#".Date | chart values(Value) as Value over Name by when | where isnull(Today) AND isnotnuill(Yesterday) | table Name Yesterday | rex field=Value "(?<Value>[^\#]+)\#(?<Date>.*)" | table Date Name Value

*UPDATED*

BASE SEARCH | eval when=if(strptime(Date, "%m/%d/%Y")>relative_time(now(), "@d"), "Today", "Yesterday") | dedup Name Date | eval Value=Value."#".Date | chart values(Value) as Value over Name by when | where isnull(Today) AND isnotnuill(Yesterday) | table Name Yesterday | rex field=Value "(?[^\#]+)\#(?.*)" | table Date Name Value

OR THIS*

base search | sort - Date | dedup Name | where strptime(Date, "%m/%d/%Y")<relative_time(now(), "@d"))

View solution in original post

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎09-21-2016 07:25 AM

Assuming that you've a working search giving you your initial output, try this

your current search giving fields  Date Name Value | stats Values(Date) as Date values(Value) as Value by Name | where mvcount(Date)=1 AND strptime(Date, "%m/%d/%Y")>relative_time(now(), "@d")
0 Karma
Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎09-21-2016 05:36 AM

Try this

index=xyz  earliest=-1d@d | eval Date=strftime(_time, "%m/%d/%Y") | eval when=if(_time>relative_time(now(), "@d"), "Today", "Yesterday") | dedup Name Date | eval Value=Value."#".Date | chart values(Value) as Value over Name by when | where isnull(Today) AND isnotnuill(Yesterday) | table Name Yesterday | rex field=Value "(?<Value>[^\#]+)\#(?<Date>.*)" | table Date Name Value

*UPDATED*

BASE SEARCH | eval when=if(strptime(Date, "%m/%d/%Y")>relative_time(now(), "@d"), "Today", "Yesterday") | dedup Name Date | eval Value=Value."#".Date | chart values(Value) as Value over Name by when | where isnull(Today) AND isnotnuill(Yesterday) | table Name Yesterday | rex field=Value "(?[^\#]+)\#(?.*)" | table Date Name Value

OR THIS*

base search | sort - Date | dedup Name | where strptime(Date, "%m/%d/%Y")<relative_time(now(), "@d"))
0 Karma
Reply
Solved! Jump to solution

splunkapprentic
Explorer
‎09-21-2016 07:05 AM

I don't think I have the _time records 😞

0 Karma
Reply
Solved! Jump to solution

splunkapprentic
Explorer
‎09-21-2016 08:18 AM

yeah! the last one seems to do the job 😉

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎09-21-2016 08:21 AM

@splunkapprentice please accept this answer to close it out.

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎09-21-2016 07:11 AM

Try the updated query

0 Karma
Reply
Get Updates on the Splunk Community!

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...