topic Re: Finding Delta between 2 sets of events in Splunk Search

How to find Delta between 2 sets of events?

SplunkDash — Thu, 01 Dec 2022 16:18:17 GMT

Hello,

I have use cases to find the Delta between 2 sets of events. We get events once a day, our objective is to find the delta between current events (event received today) and the events we received yesterday and create a report based on that delta (events). Any recommendation would be highly appreciated. Thank you so much.

Re: Finding Delta between 2 sets of events

bowesmana — Wed, 30 Nov 2022 02:03:28 GMT

Not sure what you understand by "delta", but this sort of starting point

(search_today_events) OR (search_yesterday_events) | eval group=if(_time > relative_time(_time, "@d"), "today", "yesterday") | stats count by group

This will simply search for both yesterday's events and today's events and do a "count" of total events found in each "group"

If your meaning of 'delta' encompasses other differences, e.g. count of logons, sales of product, then you will have to expand on this basic type of search

Re: Finding Delta between 2 sets of events

SplunkDash — Wed, 30 Nov 2022 02:18:30 GMT

Hello,

Thank you so much for your quick response, truly appreciate it.

Delta Meant:

[Delta] = [Today's Events - Yesterday's Events]

[Report] = [Delta]

Let me know if you need any more clarifications on it.

Re: Finding Delta between 2 sets of events

bowesmana — Wed, 30 Nov 2022 07:02:35 GMT

Simple search then looks like this

It will give you a single value 'delta' with a positive (increase) or negative (decrease) of previous day's event count.

Re: Finding Delta between 2 sets of events

SplunkDash — Thu, 01 Dec 2022 13:46:45 GMT

Hello,

Thank you again. Yes, it's giving be the values in positive /negative increases. But my interest is to get the list of those events. Any recommendation would be highly appreciated.

Re: Finding Delta between 2 sets of events

PickleRick — Thu, 01 Dec 2022 14:26:08 GMT

There is a set command - https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Set

But I'd rather use the "clasify and filter" approach.

Something like

<your search>
| eval is_yesterday=if(now()-_time>86400,1,0)
| stats values(is_yesterday) by <your relevant fields>
| search NOT is_yesterday=1

Of course you can adjust the is_yesterday calculation to your needed condition.

Re: Finding Delta between 2 sets of events

bowesmana — Fri, 02 Dec 2022 00:41:55 GMT

That was the purpose of my question around what is 'delta'.First you need to clarify what events constitute a 'difference'. i.e. how can the search know what event yesterday corresponds to its equivalent matching event today.

Please provide some examples of events from 'yesterday' that are

1. The same and should be ignored

2. Different and should be listed in the delta

Re: Finding Delta between 2 sets of events

SplunkDash — Fri, 02 Dec 2022 00:55:55 GMT

@bowesmana

Thank you for your quick response. Here are what you requested:

1. The same and should be ignored

Today's Events= Yesterday Events + New Events

2. Different and should be listed in the delta

Only we need Display New Events (Different) as Delta

Please let me know if you need more clarifications. Thank you again.

Re: Finding Delta between 2 sets of events

bowesmana — Fri, 02 Dec 2022 01:06:28 GMT

Clarification required:

You need to be clear on what equality means

If yesterday you have

event1 : time=... message=this is a message

and today you have

event 1: time=... message=this is also a message

is that the same or different?

Please provide examples of what you mean by

today = yesterday

Re: Finding Delta between 2 sets of events

SplunkDash — Fri, 02 Dec 2022 01:21:57 GMT

@bowesmana

Ok got it.

yesterday I have

event1 : time=... message=this is a message

event2 : time=... message=this is a message

event 3 : time=... message=this is a message

event4 : time=... message=this is a message

and today I have

event1 : time=... message=this is a message

event2 : time=... message=this is a message

event 3 : time=... message=this is a message

event4 : time=... message=this is a message

event5 : time=... message=this is a message

event6 : time=... message=this is a message

is that the same or different? Events 1-3 in both cases are the same. But Event 4 is different and Event 5-6 completely new events and are also different

Let me know if you need more clarifications. Thank you!

Re: Finding Delta between 2 sets of events

bowesmana — Fri, 02 Dec 2022 01:37:18 GMT

Why is event 4 different?

So, are you saying that if you have 10 events yesterday and 12 events today, then it DOES NOT MATTER what those event contain, you ONLY want to know that the difference is 2 events and then to see all events above event 10.

What if you had 10 events yesterday and 8 events today - what do you want to see?

It would be really helpful if you could provide a real scenario example of your data and explain what it is you are trying to see

Re: Finding Delta between 2 sets of events

SplunkDash — Fri, 02 Dec 2022 01:37:32 GMT

@bowesmana

One more to add: It should only display events 4, 5, and 6 as a Delta. Thank you again.

Re: Finding Delta between 2 sets of events

SplunkDash — Fri, 02 Dec 2022 01:44:06 GMT

@bowesmana

It was just an example, there might be more events. In our last example, we only need to see, events 4,5, and 6, since info/content of events 4,5, and 6 are not the same what we had yesterday. Thank you again!