How can I get counts for yesterday and last week?

dpatel01 · ‎05-27-2022

Hi Splunkers,

I am stuck at how can I get counts for Yesterday and Last week. so ask is when select relative time from timer(in Dashboard) it should give me counts for yesterday in one panel and in another panel for last week.

For Example,

1) I am searching for 9pm to 10pm in my Dashboard so I want to setup a query that gives me same time data but yesterday's 9pm to 10pm (Query for Yesterday)

2) If I run same data then other panel should give me counts for last week at same time (Query for last Week)

so I am looking for two separate queries for both.

Basic Query:-

index::name type=sample_events "service"="auth" "successReason"=VALID | stats count

ITWhisperer · ‎05-27-2022

There are a couple of ways to do this. Assume that the timepicker sets the time frame for the first panel.

Assuming you are using Classic Dashboard, in the change handler for the time picker, evaluate a couple of additional tokens which are a week prior to the earliest and latest values returned by the time picker.

Another way would be to override the earliest and latest values with values derived from the time settings of the search in the second panel, something like this

your search [| makeresults
  | addinfo
  | eval earliest=info_min_time-(7*24*60*60)
  | eval latest=info_max_time-(7*24*60*60)
  | fields earliest latest]

dpatel01 · ‎06-02-2022

Thanks!! This is exactly what I asked for.

How can I get counts for yesterday and last week?

chart

fields

other

stats

timechart

transaction

tstats

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio