Re: How can I run a search for both this and last ...

Skins · ‎08-24-2017

I have a search which i want to run over the last 7 days and compare the total from last week and the current number for this week.

my search if run over 7 days seems to only compare with the previous day.

index=wineventlog sourcetype="WinEventLog:Security" EventCode=4725 | timechart span=1d count AS "7 day disabled Accts"

gratzi

gcusello · ‎08-25-2017

Hi Skins,
try using timechart command and bins option:

index=wineventlog sourcetype="WinEventLog:Security" EventCode=4725 earliest=-2w latest=now | timechart bins=2 count

Bye.
Giuseppe

s2_splunk · ‎08-24-2017

Start here

Skins · ‎08-24-2017

i tried adding timewrap 1week to the end of my search but that doesn't give me what i wanted either.

I'm looking for a single value which runs as a weekly scheduled report that gives me this weeks value and the previous weeks value underneath in the sparkline (or maybe a percentage)

gratzi

ColinCH · ‎08-25-2017

So if i understand you correctly, you want 2 numbers

Lastweek:
Thisweek:

you tried it with | timechart span=1w count as "Weekly" ? and run it ends of the week?

if you want "thisweek" splitted by days you can do a subsearch and append that one.

| append [ search "your query" earliest=-1w@w latest=@w| timechart span=1d count as "Daily"]

How can I run a search for both this and last week?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases