topic How can I compare sum(bytes) in two time period using sub-search? in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-can-I-compare-sum-bytes-in-two-time-period-using-sub-search/m-p/420542#M120858 <P>Hi. im new to Splunk.</P> <P>I'm trying to compare the sum(bytes) for an hour ago, and the same hour one week before by certain field, and calculate the percentage change for these data. I have tried the following code, but the sum(bytes) it gives for doesn't match the actual value.</P> <PRE><CODE>index=xxx earliest=-60m latest=now | stats sum(bytes) as current by abc | appendcols [search index=xxx earliest=-1h@h-1w latest=@h-1w | stats sum(bytes) as before by abc] | eval diff=current-before | eval percentagediff=round(abs(diff/before)*100,0) </CODE></PRE> <P>The problem is that the current and the before values it returns are really off the actual value it should be at that time. <BR /> May you guys please give me some ideas or suggestions of where could this go wrong?<BR /> Thank you</P> Thu, 23 Aug 2018 21:17:42 GMT everynameIwanti 2018-08-23T21:17:42Z How can I compare sum(bytes) in two time period using sub-search? https://community.splunk.com/t5/Splunk-Search/How-can-I-compare-sum-bytes-in-two-time-period-using-sub-search/m-p/420542#M120858 <P>Hi. im new to Splunk.</P> <P>I'm trying to compare the sum(bytes) for an hour ago, and the same hour one week before by certain field, and calculate the percentage change for these data. I have tried the following code, but the sum(bytes) it gives for doesn't match the actual value.</P> <PRE><CODE>index=xxx earliest=-60m latest=now | stats sum(bytes) as current by abc | appendcols [search index=xxx earliest=-1h@h-1w latest=@h-1w | stats sum(bytes) as before by abc] | eval diff=current-before | eval percentagediff=round(abs(diff/before)*100,0) </CODE></PRE> <P>The problem is that the current and the before values it returns are really off the actual value it should be at that time. <BR /> May you guys please give me some ideas or suggestions of where could this go wrong?<BR /> Thank you</P> Thu, 23 Aug 2018 21:17:42 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-compare-sum-bytes-in-two-time-period-using-sub-search/m-p/420542#M120858 everynameIwanti 2018-08-23T21:17:42Z Re: How can I compare sum(bytes) in two time period using sub-search? https://community.splunk.com/t5/Splunk-Search/How-can-I-compare-sum-bytes-in-two-time-period-using-sub-search/m-p/420543#M120859 <P>@everynameIwantistaken,</P> <P>Try something like this with your timerange settings. </P> <P>for the Subsearch do <CODE>earliest=-169h@h latest=-168h@h</CODE></P> Thu, 23 Aug 2018 22:02:48 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-compare-sum-bytes-in-two-time-period-using-sub-search/m-p/420543#M120859 horsefez 2018-08-23T22:02:48Z Re: How can I compare sum(bytes) in two time period using sub-search? https://community.splunk.com/t5/Splunk-Search/How-can-I-compare-sum-bytes-in-two-time-period-using-sub-search/m-p/420544#M120860 <P>it didn't work. I think is more like the search for the past even where out of place, like same event from last week can have 10times the sum(bytes) than the current values.</P> Fri, 24 Aug 2018 15:53:19 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-compare-sum-bytes-in-two-time-period-using-sub-search/m-p/420544#M120860 everynameIwanti 2018-08-24T15:53:19Z