Splunk Search

Can you help me create a search query that would make a dynamic comparison of yesterday's data to last week's?

sagar_shubham
Explorer

I wrote the following query for today's comparison with last week:

index = abc App_Name=xyz earliest=-0d@d latest=now | multikv | eval ReportKey="Today"|append[search index = abc App_Name=xyz earliest=-7d@d latest=-6d@d | multikv | eval ReportKey="LastWeek"| eval _time=_time+60*60*24*7]|eval _time=if(isnotnull(new_time), new_time, _time)|timechart span=5m sum(TOTAL_TRANSACTIONS) as Transactions by ReportKey

I want the query to do the following: allow someone to view the comparison of yesterday's data and last week's(considering yesterday to its one week data), or the "day before yesterday" to its corresponding "last week" data, and so on.

So, could you please help how can i write the query for that?

0 Karma

skoelpin
SplunkTrust
SplunkTrust

You should use relative_time or timewrap to do this. It will be much cleaner

0 Karma

mstjohn_splunk
Splunk Employee
Splunk Employee

Hi @sager_shubham,

did you try out Skoelpin's suggestion? Did it work? Let us know, so we can convert it to answer, and then you can approve it! Thanks.

0 Karma

sagar_shubham
Explorer

could you please refer me with an example
?

0 Karma

skoelpin
SplunkTrust
SplunkTrust

A quick and dirty way would be to use timewrap like this.

index = abc App_Name=xyz 
| timechart span=5m sum(TOTAL_TRANSACTIONS) as Transactions by ReportKey
| timewrap 1d

If this doesn't work then you will need to use relative time like this

index = abc App_Name=xyz 
| eval today=relative_time(now(),"-d@d")
| eval yesterday=relative_time('today', "-d@d")
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...