Sure there is, join should be considered as last resort not as first choice. Take this run everywhere example which compares the first day of last week with the first day two weeks ago:
index=_internal earliest=-2w@w sourcetype=splunkd date_mday=1 OR date_mday=8
| bucket _time span=1d
| stats last(_time) AS last_time count AS per_day_count by _time, host, sourcetype
| eval weeks = if(last_time > exact(relative_time(now(),"-2w@w")) AND last_time <= exact(relative_time(now(),"-1w@w")) , per_day_count ,"0")
| eval week = if(last_time > exact(relative_time(now(),"-1w@w")) AND last_time <= exact(relative_time(now(),"-0w@w")) , per_day_count ,"0")
| where NOT weeks = week
| stats max(last_time) AS _time, values(sourcetype) AS sourcetype, max(week) AS 1w_ago, max(weeks) AS 2w_ago
I had to build this on weeks because of the 30 days retention time on index=_internal so adapt it to your needs...
cheers, MuS
... View more