topic Re: How to compare the hourly count of events for a particular event and show what is the difference in Splunk Search

How to compare the hourly count of events for a particular event and show what is the difference?

vrmandadi — Sun, 22 May 2022 19:26:47 GMT

I am trying to create a search which will give the difference in count for a field called "id" and show what are those different values for that field "id".

For instance if the current hour count for id is 900 and previous hour count is 830 ...I want to see the difference as 70 and show what are those 70 different id's .Currently I am able to get the difference using below search

index="netbox_test"
| rename "results{}.id" as "id"
| timechart span=1h count(id) as total
| delta total as difference

Thanks in Advance

Re: How to compare the hourly count of events for a particular event and show what is the difference

PickleRick — Sun, 22 May 2022 06:12:13 GMT

If the difference in id count between two hour-long periods is 70 doesn't mean that it's only 70 ids that differ. Example - in one hour you have ids of 1,2,3 in next - 4,5. The count difference is 1 but all the ids are different.

Either you're assuming too much or there are additional unmentioned conditions.

Re: How to compare the hourly count of events for a particular event and show what is the difference

vrmandadi — Sun, 22 May 2022 14:33:04 GMT

To be more clear I am pulling netbox data into Splunk...so there are 900 devices in netbox...sometimes these 900 devices might be turned off or removed or added...So when these changes occur the count differs...I want to see what is the difference when compared hourly...I was able to find the difference every hour by using the delta..but I want to know what are those different devices for that particular hour..like comparing current hour with previous hour and show the count difference and what is different.

Example:

Previous Hour: 1 , 2 ,3

Current Hour : 2,3,4,5,6

Difference Count :2

ID's different : 1,4,5,6

Re: How to compare the hourly count of events for a particular event and show what is the difference

PickleRick — Sun, 22 May 2022 16:34:22 GMT

So you see for yourself that simply counting is not a reliable way of noticing that the sets are different. If you had 1,2,3,4 during one hour and 3,4,6,9 next hour, you'd miss that 1,2 turned into 6,9.

Re: How to compare the hourly count of events for a particular event and show what is the difference

ITWhisperer — Sun, 22 May 2022 18:59:09 GMT

| bin _time span=1h | stats dc(_time) as hours min(_time) as _time by id | where hours = 1 | stats values(id) as ids by _time

Ids in the earlier hour are missing from the later hour and ids in the later hour are new to the later hour.

Re: How to compare the hourly count of events for a particular event and show what is the difference

vrmandadi — Mon, 23 May 2022 17:06:52 GMT

Thank You ...Let me check this and get back to you