I'm trying to build a graph in Splunk to provide a day-by-day comparison of particular response codes.
For example I currently monitor the last 24 hours of logs looking for a string D101 (resp_code="D101") and graph it in a timechart. What I would like to do is run a second query for the same D101 message but from the previous 24hours - then end result being a graph with 2 lines showing me today against yesterday.
resp_code="D101" latest=now earliest=-24h | timechart count by resp_code | appendcols [resp_code="D101" latest=-24h earliest=-48h | timechart count by resp_code]
I think I need to be looking in or around the appendcols function but I'm receiving the below error, it's obviously not parsing what I've written in the way I'd hope:
"Search operation 'resp' is unknown. You might not have permission to run this operation."
Am I barking up the wrong tree with appendcols, should I be doing this a different way?
You need to add the search command: [search resp_code....
great much appreciated!