Splunk search for Count of events from yesterday and today
Copy
index=_internal earliest=-48h latest=-24h | bin _time span=15m | stats count by _time | eval window="Yesterday" | append [search index=_internal earliest=-24h | bin _time span=15m | stats count by _time | eval window="Today" | eval _time=(_time-(60*60*24))] | timechart span=15m sum(count) by window
This Splunk search will provide a timechart that shows two series, one demonstrating the number of events ingested in the most recent 24 hours and another showing the number of events ingested in the previous 24 hour period. The results of this search are best viewed as a line chart and will allow you to compare data ingest of today compared with yesterday.
0 comments
[0]
[0]
[0]
[0]
Sign in or Register to submit a comment