https://community.splunk.com/t5/Splunk-Search/Comparing-sum-results-between-several-days/m-p/537339#M151897 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/230904">@KaitoKozo</a>,</P><P>Please try below;</P><P>&nbsp;</P><LI-CODE lang="markup">index=power_consumption earliest=-3d@d | timechart span=1d sum(consumption) as consumption | streamstats window=2 current=f avg(consumption) as last2days | tail 1 | where last2days&gt;0 AND consumption&gt;last2days*1.2</LI-CODE><P>&nbsp;</P> Wed, 27 Jan 2021 04:19:15 GMT scelikok 2021-01-27T04:19:15Z https://community.splunk.com/t5/Splunk-Search/Comparing-sum-results-between-several-days/m-p/537335#M151894 <P>I am trying to average the sum of power consumption readings between 2 days and compare that sum to a 3rd day. If the 3rd day’s total power consumption is 20% higher than the average of the previous 2 days, I would like to flag the day as having more power consumption than usual.</P><P>The main issue I have is in trying to do this comparison as I’m unsure if it’s possible to store data as variables similar to programming and am unable to do the full search/compute/compare in 1 line, in particular trying to target “specific dates relative to current date”.</P><P>I am having difficulty trying to implement my logic process in splunk as I am still relatively new to the system and am unsure about the capabilities and syntax of this platform.</P><P>&nbsp;</P> Wed, 27 Jan 2021 03:28:40 GMT https://community.splunk.com/t5/Splunk-Search/Comparing-sum-results-between-several-days/m-p/537335#M151894 KaitoKozo 2021-01-27T03:28:40Z https://community.splunk.com/t5/Splunk-Search/Comparing-sum-results-between-several-days/m-p/537339#M151897 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/230904">@KaitoKozo</a>,</P><P>Please try below;</P><P>&nbsp;</P><LI-CODE lang="markup">index=power_consumption earliest=-3d@d | timechart span=1d sum(consumption) as consumption | streamstats window=2 current=f avg(consumption) as last2days | tail 1 | where last2days&gt;0 AND consumption&gt;last2days*1.2</LI-CODE><P>&nbsp;</P> Wed, 27 Jan 2021 04:19:15 GMT https://community.splunk.com/t5/Splunk-Search/Comparing-sum-results-between-several-days/m-p/537339#M151897 scelikok 2021-01-27T04:19:15Z https://community.splunk.com/t5/Splunk-Search/Comparing-sum-results-between-several-days/m-p/537534#M151972 <P>Thanks! This has helped a bunch! However, I'm now getting an error that it has the '&gt;' operator received different types in the where command.&nbsp;</P><P>Through some testing, I have found out that the comparison of "Consumption &gt; last2days*1.2" is the one causing issues, in particular "last2days*1.2". I am able to run the code if I change it to "Consumption &gt; last2days", however the final result that appears is that Consumption is lesser than last2days.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="KaitoKozo_0-1611803429908.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/12707i7148B1944A1727C3/image-size/medium?v=v2&amp;px=400" role="button" title="KaitoKozo_0-1611803429908.png" alt="KaitoKozo_0-1611803429908.png" /></span></P><P>This is the SS of the results that showed up when I added your modifications with "Consumption &gt; last2days" instead.</P><P>Edit: I just digested and understood what the code does, so that 1 result was actually supposed to appear. Is there any way to create a chart that will plot those situations that only have days where the consumption is higher than the previous 2 days?</P> Thu, 28 Jan 2021 03:28:13 GMT https://community.splunk.com/t5/Splunk-Search/Comparing-sum-results-between-several-days/m-p/537534#M151972 KaitoKozo 2021-01-28T03:28:13Z