Refer below splunk spl query:
This query is giving the output for 1 day only, like below: Column Header: HotScanMQ | Variance (i.e. Today_30May2023)
I want the output to be displayed in below format: HotScanMQ | Variance Day1 (30May2023) | Variance Day2 (29May2023) | Variance Day3 (28May2023) | Variance Day4 (27May2023) for each day and so on until the Day 30. I want to use a counter to set "earliest" and "latest" sequentially and dynamically by giving a number range. Please suggest modification on this spl query accordingly.
index=app_events_reg_filtering_hotscan_de_prod source=*hotscan*hotscn*\/TODAY\/*hot* "<--- TRN" "from" earliest=-7d@d latest=-7d@s
| rex "\: (?<hotgettrn>.*) \- S from"
| rex "HOT\.RCV\.FROM\.(?<HotScanMQ>.*)\@"
| eval Before7Day_Date = strftime(_time,"%Y-%m-%d")
| stats count(hotgettrn) as HotGetBefore7Day by HotScanMQ, Before7Day_Date
| append [
search index=app_events_reg_filtering_hotscan_de_prod source=*hotscan*hotscn*\/TODAY\/*hot* "<--- TRN" "from" earliest=-0d@d latest=now
| rex "\: (?<hotgettrn>.*) \- S from"
| rex "HOT\.RCV\.FROM\.(?<HotScanMQ>.*)\@"
| eval Today = strftime(_time,"%Y-%m-%d")
| stats count(hotgettrn) as HotGetToday by HotScanMQ, Today
]
| stats values(*) as * by HotScanMQ
| fillnull HotGetBefore7Day, HotGetToday value="0"
| eval Today=if(isnull(Today) OR len(Today)==0,strftime(now(),"%Y-%m-%d"),Today)
| eval Before7Day_Date=if(isnull(Before7Day_Date) OR len(Before7Day_Date)==0,strftime(relative_time(now(),"-7d@d"),"%Y-%m-%d"),Before7Day_Date)
| eval Variance = case(HotGetBefore7Day > HotGetToday, round(((HotGetToday - HotGetBefore7Day) / HotGetBefore7Day) * 100,2),
HotGetBefore7Day < HotGetToday, round(((HotGetToday - HotGetBefore7Day) / HotGetToday) * 100,2),
HotGetBefore7Day = HotGetToday, round(((HotGetBefore7Day - HotGetToday) / HotGetToday) * 100,2))
| table HotScanMQ, Variance
