Splunk Search

How do I get results for different days on the same table?

angersleek
Path Finder

I'm using the following search and getting the following results. This search is done over 7 days.
Is there a way I can split this up and show 1 day + 7 days?

Current search:

some_search=*| stats count(some_num) as "No: Requests" by some_num, client

Current Result

some_num client No: Requests
9999999  PC     121
111111   MAC    342

Looking to get this result instead.

some_num client No: Requests (1 Day) No: Requests (7 Days)
9999999  PC     70                   121
111111   MAC    102                  342

Also, I tried with the following search, but I ended up with all days in a single row, which is not what I want.

Another try:

some_search=* | stats count(some_num) as "No: Requests" by some_num, client, date_mday
Tags (1)
0 Karma

whrg
Motivator

Hi @angersleek,

One option would be to use the append command:

index=... ... earliest=-24h latest=now
| stats count(some_num) as "No: Requests" by some_num,client
| eval Days=1
| append [search index=... ... earliest=-7d latest=now
   | stats count(some_num) as "No: Requests" by some_num,client
   | eval Days=7]

Alternately, try this with a time range of the last 7 days:

some_search=*
| bucket _time span=1d
| eventstats max(_time) as max_time
| stats count as count_requests_7d count(eval(_time==max_time)) as count_requests_1d by some_num, client
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...