topic Re: Compare result count in Splunk Dev

Compare result count

bharathkumarnec — Mon, 08 Jan 2018 11:57:32 GMT

HI All,

I would like to compare the result count today with the count same date last month.

Kindly let me know the best way to achieve this.

Regards,
BK

Re: Compare result count

cmerriman — Mon, 08 Jan 2018 12:54:56 GMT

do you have any syntax worked out as so far? are you looking to compare the count from today (Jan 8, 2018) to the same day last month (Dec 8, 2017) or more month over month count?

Re: Compare result count

bharathkumarnec — Mon, 08 Jan 2018 12:58:26 GMT

@cmerriman, No i dont have any and yes the one you mentioned is what i am looking for!

Re: Compare result count

mayurr98 — Mon, 08 Jan 2018 13:11:49 GMT

hey try this!

you can use timewrap command!
https://splunkbase.splunk.com/app/1645/

index=<your_index> | timechart count span=1d  | timewrap m | sort- _time

Run this for last two months!

I hope this helps you!

Re: Compare result count

cmerriman — Mon, 08 Jan 2018 13:36:31 GMT

building off of this answer
here is some documentation on timewrap:
http://docs.splunk.com/Documentation/Splunk/7.0.1/SearchReference/Timewrap
Timewrap is an app in Splunkbase and was made into a Splunk function either in 6.5 or 6.6, I believe. So if you have an older version of Splunk, you may need to install https://splunkbase.splunk.com/app/1645/
if you want a comparison for percent change day over day, add this:
| rename 1month_before as last_month |eval perc_change=round(((latest_month - last_month)/abs(last_month))*100,2)