How do I combine search results from two different...

angersleek · ‎12-10-2018

I am trying to combine results from two different time lines into a single table.

The search query for 1 day as follows:

some_app=my_app_name card_num=* | stats count(card_num) as "No: Requests" by card_num, plat

The result format as follows:

card_num plat No: Requests
XXX-1000 Windows  100
XXX-1002 mac      300
XXX-1002 linux    500  
.....

I want to do the same search but over 7 days.

For example, I get following results for 7 days:

card_num plat No: Requests
XXX-1000 Windows 10056723
XXX-1002 mac     3007845623
XXX-7777 linux   67585647
.....

I want to show it in a single table format as follows:

card_num plat No: Requests (1 day) Requests (7 day)
XXX-1000 Windows  100              10056723
XXX-1002 mac      300              3007845623
XXX-1002 linux    500              --
XXX-7777 linux    --               67585647

Is there a way I could make these searches once and create this table?

I do not have access to add plugins/ apps. Looking to do it without them. Thanks.

cmerriman · ‎12-10-2018

have you tried the timewrap command?

https://docs.splunk.com/Documentation/Splunk/7.2.1/SearchReference/Timewrap

otherwise, you could do some trickery with (feel free to experiment with ranges):

some_app=my_app_name card_num=* earliest=-7d|eval last7d=if(_time>relative_time(now(),"-7d"),1,0)|eval last24h=if(_time>relative_time(now(),"-24h"),1,0)| stats sum(last7d) as "No: Requests (last 7d)" sum(last24h) as  "No: Requests (last 24h)" by card_num, plat

skoelpin · ‎12-10-2018

This answer may be what you're looking for. It shows how to run 1 search and return results for different time periods

https://answers.splunk.com/answers/701211/how-do-you-calculate-the-mean-of-a-timewrap-series.html#an...

How do I combine search results from two different date time ranges into 1 table?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes