Splunk Search

Subsearch results display in different columns with same field by differenet timerange

rossikwan
Path Finder

sourcetype=xxx earliest=-1d@d latest=-0d@d | stats count by host | append [search earliest=-2d@d latest=-1d@d | stats count by host] | sort -count -host


The results displayed as below:

hostcount
hostA6080
hostA6182
hostB3023
hostB3238
...
...

And I would like the results displayed as below:

hostp1d_countp2d_count
hostA60806182
hostB30233238
...
...

Is there a simple way to make the results for easily read & presentable?
Thanks.

Rossi

Tags (3)
0 Karma

vipiao
New Member

sourcetype=xxx earliest=-1d@d latest=-0d@d | stats count by host | rename count as p1d_count | streamstats count as rownum | join rownum [search earliest=-2d@d latest=-1d@d | stats count by host | rename count as p2d_count | streamstats count as rownum] | fields - rownum

0 Karma

rossikwan
Path Finder

Works like a Charm, thanks 🙂

0 Karma

imrago
Contributor

Hi,

a solution could be something like this:

earliest=-2d@d latest=@d | eval Date=strftime(_time,"%Y-%m-%d")| chart count by host,Date

dwaddle
SplunkTrust
SplunkTrust

Yes, imgrago's solution is a good one. As long as the days you are dealing with are consecutive there is no value in the appended subsearch. You could alternately use the built-in date_wday or date_mday extractions instead of computing Date. A more general example of day-over-day that can be adapted to week-over-week or month-over-month is demonstrated in http://splunk-base.splunk.com/answers/2712/line-chart-comparing-yesterdays-result-with-todays-result...

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...