topic Re: How do I find the delta between sum of values for two days with below query? in Splunk Search

How do I find the delta between sum of values for two days with below query?

rajapr15 — Tue, 29 Sep 2020 12:40:36 GMT

index=_internal type=usage idx=wineventlog | bucket span=1d _time | stats sum(b) as sum by h,_time

The above query gives the sum for "b" values over a period of one day. If I run the query for time period of two days I get two sums for "h". Difference between these two sums need to be found.

Re: How do I find the delta between sum of values for two days with below query?

rjthibod — Tue, 31 Jan 2017 13:41:41 GMT

Look at the last answer in this post

https://answers.splunk.com/answers/47037/delta-then-sum-then-graph-from-multiple-hosts.html

index=_internal type=usage idx=wineventlog 
| bucket span=1d _time 
| stats sum(b) as b by h,_time
| streamstats current=t global=f window=2 latest(b) as curr earliest(b) as next by h
| eval delta=next-curr
| timechart span=1d sum(delta) as delta by h

Re: How do I find the delta between sum of values for two days with below query?

rajapr15 — Tue, 29 Sep 2020 12:40:43 GMT

Thanks!

I found an alternative which worked for me-

index=_internal type=usage idx=wineventlog | chart sum(b) by h date_wday | eval diff=sunday-tuesday | eval diff=abs(diff) | sort -diff

Re: How do I find the delta between sum of values for two days with below query?

rjthibod — Tue, 31 Jan 2017 16:04:33 GMT

the date_* fields are not considered authoritative from an accuracy standpoint, and your query will only work as long as you have queries less than one week (non-overlapping days of the week).