https://community.splunk.com/t5/Getting-Data-In/data-from-csv-file-and-working-on-that-with-splunk-query/m-p/111719#M23409 <P>ya i have access to raw events</P> Mon, 18 May 2015 05:33:39 GMT ektasiwani 2015-05-18T05:33:39Z https://community.splunk.com/t5/Getting-Data-In/data-from-csv-file-and-working-on-that-with-splunk-query/m-p/111715#M23405 <P>I have a csv file created by splunk search:<BR /> It contain ip count for last 7 days.<BR /> it looks like this:</P> <P>_time 192.168.10.20 192.168.30.46<BR /> 2015-05-08 145 45<BR /> 2015-05-09 200 200<BR /> 2015-05-10 300 34</P> <P>Now i want to subtract each day count from sum of total count of that ip</P> <P>for example:<BR /> for ip 192.168.30.46 i want out put for date 2015-05-08 as (45+200+34)-45<BR /> how can i achieve this with splunk query?</P> Fri, 15 May 2015 10:12:19 GMT https://community.splunk.com/t5/Getting-Data-In/data-from-csv-file-and-working-on-that-with-splunk-query/m-p/111715#M23405 ektasiwani 2015-05-15T10:12:19Z https://community.splunk.com/t5/Getting-Data-In/data-from-csv-file-and-working-on-that-with-splunk-query/m-p/111716#M23406 <P>Do you have control over the csv creation? The number of IP addresses will change over the time and hence building a dynamic query will be a challenge. If you have access to raw events, then you can use eventStats sum(count) by ipAddress and then substract the current count.</P> <P>Thanks!!</P> Fri, 15 May 2015 10:47:55 GMT https://community.splunk.com/t5/Getting-Data-In/data-from-csv-file-and-working-on-that-with-splunk-query/m-p/111716#M23406 vganjare 2015-05-15T10:47:55Z https://community.splunk.com/t5/Getting-Data-In/data-from-csv-file-and-working-on-that-with-splunk-query/m-p/111717#M23407 <P>no i dont have control over ip address. i need dynamic query.<BR /> ip address number will keep on changing.<BR /> is there any way to create dynamic query for this?</P> Fri, 15 May 2015 11:56:52 GMT https://community.splunk.com/t5/Getting-Data-In/data-from-csv-file-and-working-on-that-with-splunk-query/m-p/111717#M23407 ektasiwani 2015-05-15T11:56:52Z https://community.splunk.com/t5/Getting-Data-In/data-from-csv-file-and-working-on-that-with-splunk-query/m-p/111718#M23408 <P>Do you have access to raw events?</P> Mon, 18 May 2015 04:25:33 GMT https://community.splunk.com/t5/Getting-Data-In/data-from-csv-file-and-working-on-that-with-splunk-query/m-p/111718#M23408 vganjare 2015-05-18T04:25:33Z https://community.splunk.com/t5/Getting-Data-In/data-from-csv-file-and-working-on-that-with-splunk-query/m-p/111719#M23409 <P>ya i have access to raw events</P> Mon, 18 May 2015 05:33:39 GMT https://community.splunk.com/t5/Getting-Data-In/data-from-csv-file-and-working-on-that-with-splunk-query/m-p/111719#M23409 ektasiwani 2015-05-18T05:33:39Z https://community.splunk.com/t5/Getting-Data-In/data-from-csv-file-and-working-on-that-with-splunk-query/m-p/111720#M23410 <P>If you have access to raw events, you can try following query:</P> <PRE><CODE>...select the raw events.. | table _time ipAddress | eval date = strftime(_time, "%Y-%m-%d") | stats count as countByDate by date,ipAddress | eventstats count as totalcount by ipAddress | eval customCount = totalcount - countByDate </CODE></PRE> <P>Thanks!!</P> Mon, 18 May 2015 06:33:59 GMT https://community.splunk.com/t5/Getting-Data-In/data-from-csv-file-and-working-on-that-with-splunk-query/m-p/111720#M23410 vganjare 2015-05-18T06:33:59Z https://community.splunk.com/t5/Getting-Data-In/data-from-csv-file-and-working-on-that-with-splunk-query/m-p/111721#M23411 <P>the query is working but the result is not what i want.<BR /> can you explain me above query?<BR /> totalcount here is not the sum of day wise counts of an ip address.<BR /> my requirement is:<BR /> if 192.168.10.3 count for 2nd of may is 340 and 3rd of feb is 45 and fourth of feb is 10</P> <P>i want to show on 2nd of feb deviation is (340+45+10)-340 , so customCount should show result of this (340+45+10)-340.</P> Mon, 18 May 2015 07:42:19 GMT https://community.splunk.com/t5/Getting-Data-In/data-from-csv-file-and-working-on-that-with-splunk-query/m-p/111721#M23411 ektasiwani 2015-05-18T07:42:19Z https://community.splunk.com/t5/Getting-Data-In/data-from-csv-file-and-working-on-that-with-splunk-query/m-p/111722#M23412 <P>Hi,</P> <P>My bad. Change the eventstats block to following:</P> <PRE><CODE>| eventstats sum(countByDate) as totalcount by ipAddress </CODE></PRE> <P>This should fix the problem. Can you please verify and confirm?</P> <P>Thanks!!</P> Mon, 18 May 2015 08:00:16 GMT https://community.splunk.com/t5/Getting-Data-In/data-from-csv-file-and-working-on-that-with-splunk-query/m-p/111722#M23412 vganjare 2015-05-18T08:00:16Z https://community.splunk.com/t5/Getting-Data-In/data-from-csv-file-and-working-on-that-with-splunk-query/m-p/111723#M23413 <P>Thanks vganjare , this is working for me.<BR /> thnku for your time and help...:)</P> Mon, 18 May 2015 08:45:17 GMT https://community.splunk.com/t5/Getting-Data-In/data-from-csv-file-and-working-on-that-with-splunk-query/m-p/111723#M23413 ektasiwani 2015-05-18T08:45:17Z