Splunk Search

comparing two values of Today and Yesterday

abhayneilam
Contributor

Hi,

I have two searches , I want to compare one with other, one search should run for "Today" and other should run for "Yesterday", so I have used earliest=@d latest=now for "Today" and
earliest=-1d@d latest=@d for "Yesterday" data, but here is one catch that it is not good to compare the data in this case because "Yesterday" is having full last 24 hours data and "Today" is having only the data till when I am running the query ( lets say 10 hours data ) , If I execute "Today" query it will be 12 hours data comparing with 24 hours data ...

So, I want to make my query as such that it should compare today's 12 hours data with yesterday's 12 hours data.

Need your help in doing that !! Please suggest me some solution.

Thanks in advance !!

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try something like this

| multisearch [search index=_internal earliest=@d latest=now | eval day="Today"] 
[search index=_internal [search index=_internal earliest=@d latest=now | head 1  | addinfo | eval latest=info_max_time-86400 | eval earliest=info_min_time-86400 | table earliest, latest| format "" "" " " "" "" ""] | eval day="Yesterday"]...

This query can compare data from Today's hours (if ran at 04/03/2014 10:00 AM, then 04/03/2014 0:00 AM to 04/03/2014 10:00 AM) with exact same hour's from yesterday (04/02/2014 00:00 AM to 04/02/2014 10:00 AM).

0 Karma

richgalloway
SplunkTrust
SplunkTrust

You could use earliest=@d latest=@h for Today and earliest=-1d@d latest=-24h@h for Yesterday. Or earliest=@d latest=@m for Today and earliest=-1d@d latest=-1440m@m for Yesterday.

---
If this reply helps you, Karma would be appreciated.
0 Karma

MuS
SplunkTrust
SplunkTrust

Hi abhayneilam,

take a look at the timewrap app which will provide a new search command to do exactly those kind of time to time compares.

cheers, MuS

0 Karma

MuS
SplunkTrust
SplunkTrust

Thinking a bit about this request I came up with this run everywhere command:

index=_internal ealiest=-25h@h | stats count(date_hour) as hourly_count by date_hour, date_wday

this will count all events per hour in the last 25 hours and group them per hour per day. Just adapt it to your needs, like filter the date_hour you need.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...