Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is my search showing 2 values for the same hour?

xvxt006
Contributor
‎02-02-2015 05:46 AM

I am using the search below to compare this week vs last week same hour counts, but in the results, for some of the hours, I am seeing 2 values for the same hour as shown in the screenshotalt text

What could be the reason for this? 

 status=404  | stats count as Today by date_hour | appendcols [search sourcetype=access_combined_wcookie status=404 earliest=-7d@d latest=-6d@d | stats count as LastWeek by date_hour] | sort date_hour
Tags (2)
Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
Legend
‎02-02-2015 06:24 AM

Hi xvxt006,

I cannot tell you why this happens, but I can show you a more efficient search to achieve the same result. Take this run everywhere example:

index=_internal sourcetype=splunk_web_access status=200 earliest=-14d@d latest=now | eval last_week=relative_time(now(), "-7d@d") | stats count(eval(if(last_week > _time, status, null()))) AS last_week count(eval(if(last_week < _time, status, null()))) AS this_week by date_hour

It will only run one search and count's based on the time of the events.

Hope this helps to sort this out ...

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
Legend
‎02-02-2015 06:24 AM

Hi xvxt006,

I cannot tell you why this happens, but I can show you a more efficient search to achieve the same result. Take this run everywhere example:

index=_internal sourcetype=splunk_web_access status=200 earliest=-14d@d latest=now | eval last_week=relative_time(now(), "-7d@d") | stats count(eval(if(last_week > _time, status, null()))) AS last_week count(eval(if(last_week < _time, status, null()))) AS this_week by date_hour

It will only run one search and count's based on the time of the events.

Hope this helps to sort this out ...

cheers, MuS

Reply
Solved! Jump to solution

xvxt006
Contributor
‎02-02-2015 08:00 AM

:-)...I missed that. Thank you.

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎02-02-2015 08:01 AM

you're welcome 🙂

0 Karma
Reply
Solved! Jump to solution

xvxt006
Contributor
‎02-02-2015 08:18 AM

One last question - by using the above query, for "this week" we are going to get the counts for whole week right? What if i just want to get the count only for today compared to same day last week by date_hour?

0 Karma
Reply
Solved! Jump to solution

xvxt006
Contributor
‎02-02-2015 07:21 AM

Nice. i have tried that..

status=404  earliest=@d latest=now | eval last_week=relative_time(now(), "-7d@d") | stats count(eval(if(last_week > _time, status, null()))) AS last_week count(eval(if(last_week < _time, status, null()))) AS this_week by date_hour | table date_hour, last_week, this_week

For some reason it shows 0 counts for the last week

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎02-02-2015 07:54 AM

the base search used earliest=@d and later you used in the eval -7d@d so you will never get any data for the last_week 🙂

Try this for yesterday and today comparison:

status=404  earliest=-1d@d latest=now | eval last_day=relative_time(now(), "-0d@d") | stats count(eval(if(last_day > _time, status, null()))) AS yesterday count(eval(if(last_day < _time, status, null()))) AS today by date_hour
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...