- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- How to get the 3 columns result with 3 different t...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to get the 3 columns result with 3 different time stamps
Hi Splunk Guys,
Please help me with the query. My requirement is, I need search server count in here based on the version for 3 different time stamps. REsult as shown in the below
| Version Type | 30 days | 60 Days | 90 Days |
| 1.1.1.00 | 7 | 9 | 18 |
| 2.1.3.4 | 8 | 10 | 14 |
| 3.1.4.6 | 10 | 15 | 18 |
Index=_internal sourcetype=servers_list earlist=-30d
| stats count(Parameter) as ServersCount_Last30Days by Value
The above query gives me last 30 days result.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@vvemula based on your question seems like you are interested in delta for each time duration i.e 0-30 days 30-60 days and 60-90 days.
Following is a run anywhere search based on Splunk's _internal index which splunkd errors for last 7 days as 0-1 day, 1-3 days and 3-7 days broken down by various components.
[Optional only for demo use case]... it retains only top 5 components as per total errors.
index="_internal" sourcetype="splunkd" log_level!="INFO" earliest="-7d" latest=now
| stats count as Total count(eval(_time>relative_time(now(),"-1d@d") AND _time<=now())) as "0-1 day"
count(eval(_time>relative_time(now(),"-3d@d") AND _time<=relative_time(now(),"-1d@d-1s"))) as "1-3 days"
count(eval(_time>relative_time(now(),"-7d@d") AND _time<=relative_time(now(),"-3d@d-1s"))) as "3-7 days" by component
| sort - Total
| head 5
| fields component * TotalYou can adjust as per your needs, data and field names. Please try out and confirm!
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@niketn HI, Thank you so much for your reply.
So As per your example. I have tried my requirement.
| stats count(servers) as Total count(eval(_time>relative_time(now(),"-30d@d") AND _time<=now())) as "30day"
count(eval(_time>relative_time(now(),"-60d@d") AND _time<=relative_time(now(),"-30d@d-1s"))) as "60days"
count(eval(_time>relative_time(now(),"-90d@d") AND _time<=relative_time(now(),"-60d@d-1s"))) as "90days" by parameter
--> "Parameter" has 10 different values, based on the stats,... I am getting only 5 few.
--> 60days and 90days not working coming as "0" s
Am I doing something wrong in here. ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @vvemula
Based on your use case the following should do what you want ...
index=_internal sourcetype=servers_list earliest=-90d@d
| stats
count(eval(if(_time <= relative_time(now(), "-30d@d"), Parameter, null() ) )) as "30 Days"
count(eval(if(_time <= relative_time(now(), "-60d@d"), Parameter, null() ) )) as "60 Days"
count(eval(if(_time <= relative_time(now(), "-90d@d"), Parameter, null() ) )) as "90 Days"
BY Value
If you want distinct 30 days period counts then adjust the eval statement, e.g.
stats ...
count(eval(if(_time > relative_time(now(), "-30d@d") AND _time <= relative_time(now(), "-60d@d"), Parameter, null() ) )) AS "30-60 Days"
...Hope this helps. If it does then please mark post as solved.
Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...
Troubleshooting the OpenTelemetry Collector
Adoption of Infrastructure Monitoring at Splunk
