https://community.splunk.com/t5/Splunk-Search/Comparing-fields-with-previous-events/m-p/35368#M178450 <P>SQL is an entirely different thing <span class="lia-unicode-emoji" title=":face_with_tongue:">😛</span> </P> <P>Using streamstats, you can start like this (untested, don't have splunk for android...):</P> <PRE><CODE>you base search | streamstats current=f window=1 global=f last(field1) as last_field1 by user | where field1!=last_field1 </CODE></PRE> <P>The streamstats copies the last value into the current event, and the where only keeps those where the value has changed. For reference, take a look at <A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Streamstats">http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Streamstats</A> in case I mixed up some switch... <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 16 May 2013 17:46:02 GMT martin_mueller 2013-05-16T17:46:02Z https://community.splunk.com/t5/Splunk-Search/Comparing-fields-with-previous-events/m-p/35365#M178447 <P>A logon script generates an event every time a user logs into the desktop. Here are the sample events in Splunk from those events -</P> <P>user_A;05/10/13 10:15:01 AM;field1="cat";field2="mouse"<BR /> user_B;05/10/13 09:01:01 AM;field1="cat";field2="mouse"<BR /> user_A;05/09/13 09:05:01 AM;field1="mouse";field2="horse"<BR /> user_B;05/09/13 09:01:01 AM;field1="cat";field2="mouse"<BR /> user_A;05/08/13 11:05:01 AM;field1="mouse";field2="horse"</P> <P>I want to be able to generate a report when "field1" changes per user, even compared to the last event. In this case I want a report that lists the event "user_A;05/10/13 10:15:01 AM;field1="cat";field2="mouse". Any help would be appreciated.</P> <P>Thanks.</P> Mon, 28 Sep 2020 13:54:30 GMT https://community.splunk.com/t5/Splunk-Search/Comparing-fields-with-previous-events/m-p/35365#M178447 sudhir_gandhe 2020-09-28T13:54:30Z https://community.splunk.com/t5/Splunk-Search/Comparing-fields-with-previous-events/m-p/35366#M178448 <P>You could use streamstats to copy the previous field value into the current event by user, and then do the comparisons and filters you like.</P> Thu, 16 May 2013 06:49:42 GMT https://community.splunk.com/t5/Splunk-Search/Comparing-fields-with-previous-events/m-p/35366#M178448 martin_mueller 2013-05-16T06:49:42Z https://community.splunk.com/t5/Splunk-Search/Comparing-fields-with-previous-events/m-p/35367#M178449 <P>I am not really a SQL guys and havent used streamstats before. Can you help build me this query? Thanks for any help.</P> Thu, 16 May 2013 17:21:06 GMT https://community.splunk.com/t5/Splunk-Search/Comparing-fields-with-previous-events/m-p/35367#M178449 sudhir_gandhe 2013-05-16T17:21:06Z https://community.splunk.com/t5/Splunk-Search/Comparing-fields-with-previous-events/m-p/35368#M178450 <P>SQL is an entirely different thing <span class="lia-unicode-emoji" title=":face_with_tongue:">😛</span> </P> <P>Using streamstats, you can start like this (untested, don't have splunk for android...):</P> <PRE><CODE>you base search | streamstats current=f window=1 global=f last(field1) as last_field1 by user | where field1!=last_field1 </CODE></PRE> <P>The streamstats copies the last value into the current event, and the where only keeps those where the value has changed. For reference, take a look at <A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Streamstats">http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Streamstats</A> in case I mixed up some switch... <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 16 May 2013 17:46:02 GMT https://community.splunk.com/t5/Splunk-Search/Comparing-fields-with-previous-events/m-p/35368#M178450 martin_mueller 2013-05-16T17:46:02Z https://community.splunk.com/t5/Splunk-Search/Comparing-fields-with-previous-events/m-p/35369#M178451 <P>Perfect. Thank you very much.</P> Fri, 17 May 2013 15:36:29 GMT https://community.splunk.com/t5/Splunk-Search/Comparing-fields-with-previous-events/m-p/35369#M178451 sudhir_gandhe 2013-05-17T15:36:29Z https://community.splunk.com/t5/Splunk-Search/Comparing-fields-with-previous-events/m-p/35370#M178452 <P>Hi,</P> <P>I think i have got a similiar problem, which can hopefully be solved with this kind of search.</P> <P>I want to achieve a timechart, where the count per day is about all unique users who have been active on that day <STRONG>and</STRONG> the day before.</P> <P>For Instance:</P> <P>02.01.2013 - 2500 -&gt; this means, that 2500 users have been active on 01.01.2013 and 02.01.013</P> <P>I'm not 100 % sure about the effects of the streamstats command, but after reading the posts above, my approach would be:</P> <P>sourcetype=A |bucket _time span=1d| dedup _time,user| sort _time<BR /> | streamstats current=f window=1 global=f last(_time) as previous_time by user | eval returning_user=_time-previous_time | where returning_user="86400"| timechart span=1d dc(user)</P> <P>Is this a correct adjustment to achieve my needed resultt with this kind of search?</P> <P>Best Regards</P> <P>Heinz</P> Mon, 28 Sep 2020 15:08:28 GMT https://community.splunk.com/t5/Splunk-Search/Comparing-fields-with-previous-events/m-p/35370#M178452 HeinzWaescher 2020-09-28T15:08:28Z