Splunk Search

How to edit my search to compare the count for Tuesday of the present week with Tuesday of the previous week?

vrmandadi
Builder

Hello,

I am trying to compare the count for Tuesday of last week with Tuesday of this week. I am currently using the below search to compare the results:

index=d earliest=@w2 latest=now
| eval Period=if( _time

Tags (4)
0 Karma
1 Solution

arobbins_splunk
Splunk Employee
Splunk Employee

how about:

index=_internal earliest=-14d date_wday="tuesday"
| eval day=date_month." ".date_mday
| stats count by day

by putting the filtering for date_wday in the initial search, you won't retrieve any extraneous events

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Give this a try (check the rex messages)

index=d " earliest=-14d date_wday=Tuesday
| eval day=if(_time>relative_time(now(),"-7d"),"ThisWeek","LastWeek")
 | rex field=EWS_MESSAGE_QUALIFIER "(?\w+)" | rex field=ews_transaction_log.ews_message_qualifier "(?\w+)" 
 | chart count by MESSAGE_TYPE,day

If date_wday is not already present

index=d " earliest=-14d@d | where strftime(_time,"%a")="Tue"     | eval day=if(_time>relative_time(now(),"-7d"),"ThisWeek","LastWeek")
 | rex field=EWS_MESSAGE_QUALIFIER "(?\w+)" | rex field=ews_transaction_log.ews_message_qualifier "(?\w+)" 
 | chart count by MESSAGE_TYPE,day

vrmandadi
Builder

It worked thanks a lot,but please explain me

what will this below search does

eval day=if(_time>relative_time(now(),"-7d")

0 Karma

somesoni2
SplunkTrust
SplunkTrust

This is differentiating between two Tuesday that you'll get in the results. If the timestamp of the events is within last 7 days they are from the Tuesday just passed. If you run the query on or after Wednesday it'll give Tuesday of current week else it will give Tuesday of last week.

0 Karma

woodcock
Esteemed Legend

You need the timewrap app:

https://splunkbase.splunk.com/app/1645/

0 Karma

arobbins_splunk
Splunk Employee
Splunk Employee

how about:

index=_internal earliest=-14d date_wday="tuesday"
| eval day=date_month." ".date_mday
| stats count by day

by putting the filtering for date_wday in the initial search, you won't retrieve any extraneous events

vrmandadi
Builder

Thank You arobbins ,It worked with just a small change in my query

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...