I was able to take the suggestion from woodcock, modify it from an "if" statement to a "case" statement, and got it to run showing a four week comparison. Here is the search string:
| noop | stats count AS pos | eval pos="1,2,3,4" | makemv delim="," pos | mvexpand pos | addinfo |
eval info_min_time=info_min_time - case(pos == 1, 0, pos == 2, 7*86400, pos == 3, 14*86400, pos == 4, 21*86400) |
eval info_max_time=info_max_time - case(pos == 1, 0, pos == 2, 7*86400, pos == 3, 14*86400, pos == 4, 21*86400) |
map search="search index=TEST CLASSNAME=JOB earliest=$info_min_time$ latest=$info_max_time$ | stats count by SITENAME" |
sort str(SITENAME) | table SITENAME, count
I had trouble figuring out the response from somesoni2. If I paste the search string and run it in Splunk, it gives me an error of:
"Error in 'search' command: Unable to parse the search: 'AND' operator is missing a clause on the left hand side".
I found the results from woodcock's suggestion hard to work with. As an example, if "stats count by SITENAME" was moved outside of the quoted map search string, the subsearch results were truncated at 10000. Moving it inside the quotes resolved this. Here is the search string where the subsearch results were truncated:
| noop | stats count AS pos | eval pos="1,2,3,4" | makemv delim="," pos | mvexpand pos | addinfo |
eval info_min_time=info_min_time - case(pos == 1, 0, pos == 2, 7*86400, pos == 3, 14*86400, pos == 4, 21*86400) |
eval info_max_time=info_max_time - case(pos == 1, 0, pos == 2, 7*86400, pos == 3, 14*86400, pos == 4, 21*86400) |
map search="search index=TEST CLASSNAME=JOB earliest=$info_min_time$ latest=$info_max_time$" |
convert timeformat="%Y-%m-%d" ctime(_time) AS date | stats count by SITENAME date
Unfortunately, moving "stats count by SITENAME" within the map search string kept me from doing the time conversion of _time to "date", and I could no longer get it to appear in my search results. I even tried moving it within the map search string, but could not get it to work.
Another interesting thing about woodcock's solution is that is jumps right into "Finalizing results", and zero events are found. But I do see the correct count numbers in my search results. I assume this is because the subsearch is doing all the work, and the parent search is what finds zero events?
I would be interested in getting the response from somesoni2 to work using the append command with a subsearch. Again, Splunk rookie here, so please hang in there with me. I appreciate all the help you can offer.
... View more