I am trying to combine results from two different time lines into a single table.
The search query for 1 day as follows:
some_app=my_app_name card_num=* | stats count(card_num) as "No: Requests" by card_num, plat
The result format as follows:
card_num plat No: Requests
XXX-1000 Windows 100
XXX-1002 mac 300
XXX-1002 linux 500
.....
I want to do the same search but over 7 days.
For example, I get following results for 7 days:
card_num plat No: Requests
XXX-1000 Windows 10056723
XXX-1002 mac 3007845623
XXX-7777 linux 67585647
.....
I want to show it in a single table format as follows:
card_num plat No: Requests (1 day) Requests (7 day)
XXX-1000 Windows 100 10056723
XXX-1002 mac 300 3007845623
XXX-1002 linux 500 --
XXX-7777 linux -- 67585647
Is there a way I could make these searches once and create this table?
I do not have access to add plugins/ apps. Looking to do it without them. Thanks.
have you tried the timewrap command?
https://docs.splunk.com/Documentation/Splunk/7.2.1/SearchReference/Timewrap
otherwise, you could do some trickery with (feel free to experiment with ranges):
some_app=my_app_name card_num=* earliest=-7d|eval last7d=if(_time>relative_time(now(),"-7d"),1,0)|eval last24h=if(_time>relative_time(now(),"-24h"),1,0)| stats sum(last7d) as "No: Requests (last 7d)" sum(last24h) as "No: Requests (last 24h)" by card_num, plat
This answer may be what you're looking for. It shows how to run 1 search and return results for different time periods