How can I run a search for both this and last week...

Skins · ‎08-24-2017

I have a search which i want to run over the last 7 days and compare the total from last week and the current number for this week.

my search if run over 7 days seems to only compare with the previous day.

index=wineventlog sourcetype="WinEventLog:Security" EventCode=4725 | timechart span=1d count AS "7 day disabled Accts"

gratzi

gcusello · ‎08-25-2017

Hi Skins,
try using timechart command and bins option:

index=wineventlog sourcetype="WinEventLog:Security" EventCode=4725 earliest=-2w latest=now | timechart bins=2 count

Bye.
Giuseppe

s2_splunk · ‎08-24-2017

Start here

Skins · ‎08-24-2017

i tried adding timewrap 1week to the end of my search but that doesn't give me what i wanted either.

I'm looking for a single value which runs as a weekly scheduled report that gives me this weeks value and the previous weeks value underneath in the sparkline (or maybe a percentage)

gratzi

ColinCH · ‎08-25-2017

So if i understand you correctly, you want 2 numbers

Lastweek:
Thisweek:

you tried it with | timechart span=1w count as "Weekly" ? and run it ends of the week?

if you want "thisweek" splitted by days you can do a subsearch and append that one.

| append [ search "your query" earliest=-1w@w latest=@w| timechart span=1d count as "Daily"]

How can I run a search for both this and last week?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!