Folks
I am new in splunk so pardon the basic question here. I am trying to find in my application what are the new errors over the past 24 hours that we never encountered in the past week. Here is my query:
CASE(ERROR) earliest=-24h@h latest=now | stats count as errsToday by class source linecount | sort by class source linecount | appendcols [ search CASE(ERROR) earliest=-8d@d latest=-24h@h | stats count as errsLastWeek by class source linecount| sort by class source linecount ] | eval errsLastWeek=if(isnull(errsLastWeek),0,errsLastWeek) | eval errsToday=if(isnull(errsToday),0,errsToday) | table errsLastWeek errsToday class source linecount
My question is if anyone has comments on the above query and assuming it is correct I have the following problem. In the results I get lines as follows:
errrsLastWeek errsToday class source linecount
3 4 Foo foo.txt 5
5 0 Foo foo.txt 5
I would like to process further so I get:
errrsLastWeek errsToday class source linecount
8 4 Foo foo.txt 5
thanks in advance for the advice
-a
↧