I have looked for solutions but I have mostly found results regarding only current and past time comparison which is not what I need. I have a query that bins _time by 24h spans over the previous 7 days. and calculates a numeric value associated with those time spans. What I need is to compare each day's values to the entire week's and find any time period (so 48h) where the number jumped significantly.  An example of something similar to my my code: index=sandwiches saved_search_name="yum" earliest=-7d | bin span=24h _time | search sandwich_type="PB&J" | stats count by total_bread_type _time | stats sum(total_bread_type) as bread by _time | eval bread = round(bread / 10000, 2) currently the results are like this: _time bread 2021-12-22 18:00 22 2021-12-23 18:00 23 2021-12-24 18:00 21 2021-12-25 18:00 47 2021-12-26 18:00 48 2021-12-27 18:00 46 2021-12-28 18:00 47 Basically I am looking to compare the 'bread' values by _time and figure out if/where there is a jump of 10 or more and return that data. Any insight would be appreciated. Thanks! ... View more

Hey all,  I got a really helpful response last time and now I'm back with another question.  I have a search with the same sourcetype that I want to run multiple clauses against to return different results in a table for comparison. Example: sourcetype = xyz | where (color == "red" OR color == "blue" OR color == "purple" OR color == "green") AND (crayon == "crayola" OR crayon == "prisma" OR crayon == "offBrand" OR crayon == "brandA") |  some stuff here that matches the search to a lookup | stats count(name) as "All sets" by Type (say name and type is the information pulled from the lookup) | where (color == "red" OR color == "blue) AND (crayon != "crayola" AND crayon != "offBrand") | stats count(name) as "Set A" by Type | where (color == "red" OR color == "blue) AND (crayon != "prisma" AND crayon != "brandA") | stats count(name) as "Set B" by Type  The end result I want is this:   All sets Set A Set B 5 3 2   I know it's bad practice to use join and append. I also know the where clauses are supposed to be higher up. I'm just not sure how to achieve this. I can get the 'All sets' just fine of course but after that nothing works. Any help for this newbie would be much appreciated. Thanks! ... View more

So, to preface this, I am very new to Splunk.  The end game is to make a chart overlay, but that's not my main question here. I have two searches with very similar information being returned. I need to make a table with information from both searches and I just can't seem to manage it. I have tried append, appendcols, multisearch, etc. The problem is that I cannot use OR for the sourcetype because the two sourcetypes have extremely similar information in them and the queries to pull from them are the exact same. Example: First: index = indexa sourcetype = sourcetypeA  | count X as "Result A" | other logic etc | table month_year "Result A"   Second: index= indexa sourcetype = sourcetypeB | count X as "Result B" | other logic etc | table month_year "Result B" Ultimately I'd want the results to say: month_Year Result B Result A info info info Right now when I attempt to do anything, it just skips out on "Result B" entirely. I know there must be some simple way I'm just missing. If anyone could help me out I'd really appreciate it, this is driving me crazy. ... View more