topic Using variable &quot;total_dataconsumed&quot; how do I find biggest gainer/loser (per 24-hour period) in Splunk Search https://community.splunk.com/t5/Splunk-Search/Using-variable-quot-total-dataconsumed-quot-how-do-I-find/m-p/340546#M101006 <P>I have event data in below format:</P> <PRE><CODE> Sep 15 2017 07:06:07 app=yahoo dataconsumed=50 Sep 15 2017 08:16:07 app=skype dataconsumed=150 Sep 14 2017 10:26:07 app=facebook dataconsumed=10 Sep 14 2017 12:26:07 app=facebook dataconsumed=5 Sep 13 2017 7:26:07 app=yahoo dataconsumed=10 Sep 13 2017 9:26:07 app=skype dataconsumed=50 Sep 12 2017 3:26:07 app=facebook dataconsumed=80 Sep 12 2017 1:26:07 app=facebook dataconsumed=0 </CODE></PRE> <P>For example: for above dataset:</P> <PRE><CODE>...|if( ((total_dataconsumed by app in last half of time) - (total_dataconsumed by app in fprevious half of time) ) &gt;0, "gainer", "loser") </CODE></PRE> <P>for above sample dataset result would be:</P> <PRE><CODE>app gainer_or_loser dataconsumed ---------------------------------------------------- yahoo gainer 40 skype gainer 100 facebook loser -65 </CODE></PRE> Sat, 16 Sep 2017 09:53:32 GMT sohaibomar 2017-09-16T09:53:32Z Using variable "total_dataconsumed" how do I find biggest gainer/loser (per 24-hour period) https://community.splunk.com/t5/Splunk-Search/Using-variable-quot-total-dataconsumed-quot-how-do-I-find/m-p/340546#M101006 <P>I have event data in below format:</P> <PRE><CODE> Sep 15 2017 07:06:07 app=yahoo dataconsumed=50 Sep 15 2017 08:16:07 app=skype dataconsumed=150 Sep 14 2017 10:26:07 app=facebook dataconsumed=10 Sep 14 2017 12:26:07 app=facebook dataconsumed=5 Sep 13 2017 7:26:07 app=yahoo dataconsumed=10 Sep 13 2017 9:26:07 app=skype dataconsumed=50 Sep 12 2017 3:26:07 app=facebook dataconsumed=80 Sep 12 2017 1:26:07 app=facebook dataconsumed=0 </CODE></PRE> <P>For example: for above dataset:</P> <PRE><CODE>...|if( ((total_dataconsumed by app in last half of time) - (total_dataconsumed by app in fprevious half of time) ) &gt;0, "gainer", "loser") </CODE></PRE> <P>for above sample dataset result would be:</P> <PRE><CODE>app gainer_or_loser dataconsumed ---------------------------------------------------- yahoo gainer 40 skype gainer 100 facebook loser -65 </CODE></PRE> Sat, 16 Sep 2017 09:53:32 GMT https://community.splunk.com/t5/Splunk-Search/Using-variable-quot-total-dataconsumed-quot-how-do-I-find/m-p/340546#M101006 sohaibomar 2017-09-16T09:53:32Z Re: Using variable "total_dataconsumed" how do I find biggest gainer/loser (per 24-hour period) https://community.splunk.com/t5/Splunk-Search/Using-variable-quot-total-dataconsumed-quot-how-do-I-find/m-p/340547#M101007 <P>hmm are these columns in a CSV file or what is the format of the data source? The result needs a bit tweaking based on your data source</P> Sat, 16 Sep 2017 12:27:24 GMT https://community.splunk.com/t5/Splunk-Search/Using-variable-quot-total-dataconsumed-quot-how-do-I-find/m-p/340547#M101007 Sukisen1981 2017-09-16T12:27:24Z Re: Using variable "total_dataconsumed" how do I find biggest gainer/loser (per 24-hour period) https://community.splunk.com/t5/Splunk-Search/Using-variable-quot-total-dataconsumed-quot-how-do-I-find/m-p/340548#M101008 <P>I tried this with your events in a notepad as follows:<BR /> Sep 15 2017 07:06:07 app=yahoo dataconsumed=50<BR /> Sep 15 2017 08:16:07 app=skype dataconsumed=150<BR /> Sep 14 2017 10:26:07 app=facebook dataconsumed=10<BR /> Sep 14 2017 12:26:07 app=facebook dataconsumed=5<BR /> Sep 13 2017 7:26:07 app=yahoo dataconsumed=10<BR /> Sep 13 2017 9:26:07 app=skype dataconsumed=50<BR /> Sep 12 2017 3:26:07 app=facebook dataconsumed=80</P> <H1>Sep 12 2017 1:26:07 app=facebook dataconsumed=0</H1> <P>| eval t=strftime(_time,"%Y-%m-%d")<BR /> | eval t1=strptime(t,"%Y-%m-%d")<BR /> | eval d=strftime(relative_time(now(),"-2d"),"%Y-%m-%d")<BR /> | eventstats max(t1) as f by app <BR /> | eval d1=t1-f<BR /> | eval c=if(f=t1,"c",if(d1=d,"p","nc"))<BR /> | chart sum(dataconsumed) by app,c <BR /> | eval dataconsumed=c-nc <BR /> |eval gainer_or_looser=if(dataconsumed &gt;0,"gainer",if(dataconsumed=0,"even","looser")) <BR /> | fields app,gainer_or_looser,dataconsumed <BR /> | sort - app</P> Tue, 29 Sep 2020 15:46:23 GMT https://community.splunk.com/t5/Splunk-Search/Using-variable-quot-total-dataconsumed-quot-how-do-I-find/m-p/340548#M101008 Sukisen1981 2020-09-29T15:46:23Z Re: Using variable "total_dataconsumed" how do I find biggest gainer/loser (per 24-hour period) https://community.splunk.com/t5/Splunk-Search/Using-variable-quot-total-dataconsumed-quot-how-do-I-find/m-p/340549#M101009 <P>The data is in simple txt file. Splunk is easily able to extract time and fields out of it</P> Sat, 16 Sep 2017 14:04:17 GMT https://community.splunk.com/t5/Splunk-Search/Using-variable-quot-total-dataconsumed-quot-how-do-I-find/m-p/340549#M101009 sohaibomar 2017-09-16T14:04:17Z Re: Using variable "total_dataconsumed" how do I find biggest gainer/loser (per 24-hour period) https://community.splunk.com/t5/Splunk-Search/Using-variable-quot-total-dataconsumed-quot-how-do-I-find/m-p/340550#M101010 <P>hi please my answer below in details, i posted it as a separate entry</P> Sat, 16 Sep 2017 14:25:20 GMT https://community.splunk.com/t5/Splunk-Search/Using-variable-quot-total-dataconsumed-quot-how-do-I-find/m-p/340550#M101010 Sukisen1981 2017-09-16T14:25:20Z