https://community.splunk.com/t5/Getting-Data-In/Reporting-on-Duplicates/m-p/142373#M29112 <P>Based on above generated data, you can do this:</P> <PRE><CODE>index=main sourcetype=scan host=scanner | sort + _time | streamstats window=1 global=f current=f last(Rating) as last_rating by ComputerID | eval "Rating Change" = Rating - last_rating | table _time ComputerID Rating "Rating Change" </CODE></PRE> Thu, 24 Apr 2014 20:11:10 GMT martin_mueller 2014-04-24T20:11:10Z https://community.splunk.com/t5/Getting-Data-In/Reporting-on-Duplicates/m-p/142371#M29110 <P>Hello,</P> <P>So every 24 hours we run daily evaluations on computers that create numerical ratings. Our daily reports display Time(of scan), ComputerID, rating value. After 24 hours, all nodes are scanned again. Some will (hopefully) have a lower numerical rating value. We would like to run a separate report showing the change in value of the numerical rating for each compuert that actually changed over the 24 hour period. </P> <P>ComputerID=5 character alpha numeric<BR /> Rating value=0-100</P> <P>The following query works for single instances of evaluation.<BR /> index=main sourcetype=scan host=scanner ComputerID==1234R | stats range(numerical_rating) AS "Daily Change",values AS Computers | table Computers,"Daily Changes"</P> <P>Unfortunately we can not get this to evaluate properly against 200 computerIDs at one time. Is there a way to separate out the duplicate computerIDs with associated unique numerical_ratings and then get the difference of the numerical_rating reported with the associated computerID?<BR /> DOH!</P> <P>Thanks!</P> Mon, 28 Sep 2020 16:27:59 GMT https://community.splunk.com/t5/Getting-Data-In/Reporting-on-Duplicates/m-p/142371#M29110 mphillips_18 2020-09-28T16:27:59Z https://community.splunk.com/t5/Getting-Data-In/Reporting-on-Duplicates/m-p/142372#M29111 <P>Does this generate a data set matching your events?</P> <PRE><CODE>| gentimes start=-10 | eval _time = endtime | fields _time | eval ComputerID = "id1 id2 id3" | makemv ComputerID | mvexpand ComputerID | eval Rating = random()%101 </CODE></PRE> Thu, 24 Apr 2014 20:04:55 GMT https://community.splunk.com/t5/Getting-Data-In/Reporting-on-Duplicates/m-p/142372#M29111 martin_mueller 2014-04-24T20:04:55Z https://community.splunk.com/t5/Getting-Data-In/Reporting-on-Duplicates/m-p/142373#M29112 <P>Based on above generated data, you can do this:</P> <PRE><CODE>index=main sourcetype=scan host=scanner | sort + _time | streamstats window=1 global=f current=f last(Rating) as last_rating by ComputerID | eval "Rating Change" = Rating - last_rating | table _time ComputerID Rating "Rating Change" </CODE></PRE> Thu, 24 Apr 2014 20:11:10 GMT https://community.splunk.com/t5/Getting-Data-In/Reporting-on-Duplicates/m-p/142373#M29112 martin_mueller 2014-04-24T20:11:10Z https://community.splunk.com/t5/Getting-Data-In/Reporting-on-Duplicates/m-p/142374#M29113 <P>Thanks...the query returns data except for the "Rating Change" value. None of the duplicate computerIDs display a value for Rating - last_rating</P> Thu, 24 Apr 2014 20:24:08 GMT https://community.splunk.com/t5/Getting-Data-In/Reporting-on-Duplicates/m-p/142374#M29113 mphillips_18 2014-04-24T20:24:08Z https://community.splunk.com/t5/Getting-Data-In/Reporting-on-Duplicates/m-p/142375#M29114 <P>Make sure your field names match. For example, you've said <CODE>ComputerID</CODE> in the question but <CODE>computerID</CODE> in this comment.</P> Thu, 24 Apr 2014 20:25:51 GMT https://community.splunk.com/t5/Getting-Data-In/Reporting-on-Duplicates/m-p/142375#M29114 martin_mueller 2014-04-24T20:25:51Z https://community.splunk.com/t5/Getting-Data-In/Reporting-on-Duplicates/m-p/142376#M29115 <P>BINGO! I missed one of the fields.</P> <P>Thank you</P> Thu, 24 Apr 2014 20:34:58 GMT https://community.splunk.com/t5/Getting-Data-In/Reporting-on-Duplicates/m-p/142376#M29115 mphillips_18 2014-04-24T20:34:58Z