- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to compare two weeks ?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I use Splunk 6.2.
I try to compare two values between two differents weeks.
index="market_logs" host="12.0.0.1" OR host="12.0.0.2"
AND status="rejected" OR status="error"
AND srcip="192.168.0.1" OR srcip="192.168.0.2"
| eval r_before =
[search index="market_logs" host="12.0.0.1" OR host="12.0.0.2"
AND status="rejected" OR status="error"
AND srcip="192.168.0.1" OR srcip="192.168.0.2"
earliest=-14d@h latest=-7d@h
| stats count]
| stats count AS r_now
But it doesn't work. I have the following error : "Error in 'eval' command: Fields cannot be assigned a boolean result. Instead, try if([bool expr], [expr], [expr])."
I use a script who extract the two values.
Can someone help me please ?
Thanks,
falcom92
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I find the solution with append and it works.
index="market_logs" host="12.0.0.1" OR host="12.0.0.2"
AND status="rejected" OR status="error"
AND srcip="192.168.0.1" OR srcip="192.168.0.2"
| stats count
| append [search index="market_logs" host="12.0.0.1" OR host="12.0.0.2"
AND status="rejected" OR status="error"
AND srcip="192.168.0.1" OR srcip="192.168.0.2"
earliest=-14d@h latest=-7d@h
| stats count]
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I find the solution with append and it works.
index="market_logs" host="12.0.0.1" OR host="12.0.0.2"
AND status="rejected" OR status="error"
AND srcip="192.168.0.1" OR srcip="192.168.0.2"
| stats count
| append [search index="market_logs" host="12.0.0.1" OR host="12.0.0.2"
AND status="rejected" OR status="error"
AND srcip="192.168.0.1" OR srcip="192.168.0.2"
earliest=-14d@h latest=-7d@h
| stats count]
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Falcom,
For ease of use I'd recommend the timewrap app, it adds an extra command/function to the search which lets you set a span, either by day, by week, by month for 1 search, which could help improve search speeds.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I second this or use stats which will out-perform anything else - especially on long runs over a bigger time range.
Any kind of sub search such be your last resort not your first choice ....
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi falcom92,
use the timewrap app https://apps.splunk.com/app/1645 which will handle such things or take a look at this answer http://answers.splunk.com/answers/185829/how-to-create-a-custom-macro-function-inside-the-s.html to get an idea how it can be done using some stats commands.
Hope this helps ...
cheers, MuS
Detecting Remote Code Executions With the Splunk Threat Research Team
Observability | Use Synthetic Monitoring for Website Metadata Verification
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
