Splunk Search

why can't I get 7 days of data in appendcols search?

Min1025
Explorer

Hi All,

I have a search for comparing data between 2 weeks, I can get data for 7 days in first search, but only got 2 days data in appendcols search, why can't I get 7 days of data in appendcols search?

  index=xxx  earliest=-7d@d latest=-0d@d | eval Date1 = (date_year + "-" + date_month + "-" + date_mday) 
    | stats count AS SearchThisWeek by Date1
    | appendcols  [ search index=xxx  earliest=-14d@d latest=-10d@d | eval Date2 = (date_year + "-" + date_month + "-" + date_mday) | stats count AS SearchLastWeek by Date2] 
    | eval SearchFluctuatePerc=(SearchThisWeek-SearchLastWeek)/ SearchLastWeek 
    | fields Date1, SearchThisWeek, Date2, SearchLastWeek, SearchFluctuatePerc

alt text

Tags (2)
0 Karma

Min1025
Explorer

I found a solution for this, just need to set the maxtime and timeout| appendcols maxtime=600 timeout=600

0 Karma

woodcock
Esteemed Legend

The appendcols is a subsearch which is limited to 50.5K results returned to the main search. When I need to do something like this, I search for the broadest range (in this case earliest=-14d@d latest=-0d@d and then preclude the stuff that I don't need with _time>foo AND time<bar where you calcluate foo and bar with a subsearch and relative_time.

0 Karma

Min1025
Explorer

Hi woodcock,

Do you have an example for this kind of search?

0 Karma

jkat54
SplunkTrust
SplunkTrust

I’d you do it without the date evals, does it work?

If so use strftime on _time to format it.

Like this

| eval Date2=strftime(_time,”%Y-%m-%d”)

The date_mday etc are not reliable for statistical functions.

0 Karma

Min1025
Explorer

Hi, I tried using strftime on _time and still see the same issue.

0 Karma

HiroshiSatoh
Champion

I think that it is because data does not exist.
Does the sub search result for 7 days?

0 Karma

Min1025
Explorer

Hi HiroshiSatoh,

I tried the sub search and could get results for 7 days(2018/6/15—2018/6/21).

Thanks,
Min

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...