New to Splunk and am working with the search tool. I can pull the total counts by host no problem but am trying to figure out the most efficient way to accomplish the following:
I want to compare the last 7 days data for a host and also the trending data as far as day 1 had 1k events, day 2 had 1200 and chart this change accordingly. Would this be accomplished through the date_mday function?
I found this which I think shows the average for the last 3 days compared to today but don't think it is going to give me what I am looking for:
earliest=-3d@d latest=@d | stats count as dailyCount by date_mday | stats avg(dailyCount) as Weekly_Average |join [search earliest=-24h@h latest=@h | stats count as Todays_Count ] | fieldformat Weekly_Average=round(Weekly_Average,0)
Thanks for helping a newbie!
