Get Previous Session data based on Session filter Splunk

0
votes

I'm facing a problem in splunk like if i choose current session(2020) from filter then i should get the data of previous Session(2019).

I wrote a splunk query like :

index="entab_due" Session=2019 ClassName="* *"
| eval n=(tonumber(Session)-1)
| where totalBalance > 0 and Session = n

but i didn't get any result.

Problem : Get the data of previous session after selecting Session from filter

Please help me to get the solution.

1
splunksplunk-query
By putting Session=2019 in the base query, the results will contain only those events that have 2019 in the Session field. There will be no events with 2018, which is why the query fails. If you want to search for 2018 then put 2018 in the filter. - RichG
I can't do that because some of the panel on that dashboard will working like for 2019 it will process the 2019 data. I'm not using base query model, i'm using diff query for diff panel. Any other solution? - shiva
"base query" has two meanings. One is the part of a query before the first pipe and other other is the first search in a dashboard that uses post-processing. - RichG

1 Answers

0
votes

If two different panels in your dashboard need different data then they probably should use different searches. Or use a base search that gathers the data needed for both and use post-processing to filter the data needed by each panel.