Splunk Search

Comparing results from two different dates

matthew_foos
Path Finder

Hello all,

Search string:
index=blahblah host=blahblah
| fields host, EventCode
| stats count by host, EventCode
| sort - count
| where count > 200

I'm trying to compare the results of this search for the following dates in one report:
1-4-2018 and 1-5-2018

Tags (1)
0 Karma
1 Solution

matthew_foos
Path Finder

Answered my own question:

| timechart span=1d count by EventCode

View solution in original post

0 Karma

mayurr98
Super Champion

you can try something like this

|multisearch [search index=blahblah host=blahblah earliest=1515004200 latest=1515090600 | eval date="1/4/2018"] [search index=blahblah host=blahblah earliest=1515090600 latest=1515177000 | eval date="1/5/2018"] | fields host, EventCode
| stats count by host, EventCode date
| sort - count
| where count > 200

OR

index=blahblah host=blahblah earliest=1515004200 latest=1515177000 | bin _time span=1d
| fields host, EventCode
| stats count by host, EventCode _time
| sort - count
| where count > 200

let me know if this helps !

0 Karma

matthew_foos
Path Finder

Answered my own question:

| timechart span=1d count by EventCode

0 Karma

richgalloway
SplunkTrust
SplunkTrust

@matthew.foos if your problem is resolved, please accept an answer to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...