Hello. I've come to ask again continuously the question I asked few days ago
This is my last question: https://answers.splunk.com/answers/664833/how-to-separate-rows-as-column.html
My data have 3 fields: LastName, FirstName, Age
I'm using query last 2days
| tstats count where LastName=* by FirstName, Age, _time span=1d prestats=true
| stats count by FirstName, Age, _time
then I have the result like below
FirstName--------------Age---------------_time--------------------count
A--------------------------24------------------2018-06-11-----------11
A--------------------------24------------------2018-06-12-----------22
A--------------------------30------------------2018-06-11-----------33
A--------------------------30------------------2018-06-12-----------44
B--------------------------26------------------2018-06-11-----------55
B--------------------------26------------------2018-06-12-----------66
and I want to make a result like
FirstName--------------Age---------------2daysago_count---------1dayago_count
A--------------------------24-----------------11----------------------------22
A--------------------------30-----------------33----------------------------44
B--------------------------26-----------------55----------------------------66
(Not for this question, but I'm gonna make a new column to calculate differences between 2daysago_count and 1dayago_count)
What should I do?
No matter which way you search, if I can use "tstats" (for time reduction)
You can change from the first table to second one or make a new search or whatever
Help please
If I could do like above not only based on time space but also one of other fields, please let me know..
... View more