Splunk Search

How to edit my search to add row header labels to the table of results?

vivekb
New Member

I have created following Splunk search:

host=xyz* index=my_index NOT(bot) earliest=-1d@d latest=-0d@d | eval searchid="Today" | stats count(eval(searchmatch("Exception"))) as Exceptions count(eval(searchmatch("Error"))) as Errors count(eval(searchmatch("404"))) as 404 | append [ search index=my_index host=pdap* index=os_web NOT(bot) earliest=-2d@d latest=-1d@d |eval searchid="Yesterday" | stats count(eval(searchmatch("Exception"))) as Exceptions count(eval(searchmatch("Error"))) as Errors count(eval(searchmatch("404"))) as 404]

Following is the result:

Exceptions              Errors             404
58                      95                 49
59                      135               94

My Question is: How do I add row labels like Today for first row and Yesterday for second row?

0 Karma
1 Solution

sundareshr
Legend

Try this

host=xyz* index=my_index NOT(bot) earliest=-2d@d latest=-0d@d 
| eval searchid=if(_time<relative_time(now(), "-1d@d"), "Today", "Yesterday")
| stats count(eval(searchmatch("Exception"))) as Exceptions count(eval(searchmatch("Error"))) as Errors count(eval(searchmatch("404"))) as 404 by searchid

View solution in original post

ppablo
Retired

Hi @vivekb

Don't forget to resolve your question by clicking "Accept" below the answer you decided to go with!

Patrick

0 Karma

vivekb
New Member

Done. Thanks Patrick!

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

You can combine this into a single search, but the important part is the by clause.

As you have it written:

 host=xyz* index=my_index NOT(bot) earliest=-1d@d latest=-0d@d | eval searchid="Today" | stats count(eval(searchmatch("Exception"))) as Exceptions count(eval(searchmatch("Error"))) as Errors count(eval(searchmatch("404"))) as 404 by searchid | append [ search index=my_index host=pdap* index=os_web NOT(bot) earliest=-2d@d latest=-1d@d |eval searchid="Yesterday" | stats count(eval(searchmatch("Exception"))) as Exceptions count(eval(searchmatch("Error"))) as Errors count(eval(searchmatch("404"))) as 404 by searchid]

As I would write it combined:

index=my_index host=pdap* index=os_web NOT(bot) earliest=-2d@d  latest=-0d@d |eval searchid=if(_time>relative_time(now(),"-1d@d"),"Today", "Yesterday")| stats count(eval(searchmatch("Exception"))) as Exceptions count(eval(searchmatch("Error"))) as Errors count(eval(searchmatch("404"))) as 404 by searchid

vivekb
New Member

Thanks much. Perfect answer similar to what @sundareshr has posted. Since I can accept only one answer, I picked the first one. Thanks again.

0 Karma

sundareshr
Legend

Try this

host=xyz* index=my_index NOT(bot) earliest=-2d@d latest=-0d@d 
| eval searchid=if(_time<relative_time(now(), "-1d@d"), "Today", "Yesterday")
| stats count(eval(searchmatch("Exception"))) as Exceptions count(eval(searchmatch("Error"))) as Errors count(eval(searchmatch("404"))) as 404 by searchid

vivekb
New Member

Thanks a bunch. Saved my day.

0 Karma

vivekb
New Member

Thanks again. @sundeshOne extension to the query - Since relative_time function accepts two arguments -
How do I extrapolate to last 7 days?

E.g.
Today
Yesterday
2 Days Prior
3 Days Prior

Thanks.

0 Karma

sundareshr
Legend

You could do searchid=round((now()-_time)/86400, 0)." days"

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...