<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: New User Looking for help comparing values in Splunk Search</title>
    <link>https://community.splunk.com/t5/Splunk-Search/New-User-Looking-for-help-comparing-values/m-p/691727#M235513</link>
    <description>&lt;P&gt;Hi&amp;nbsp;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/269438"&gt;@chorn3567&lt;/a&gt;&amp;nbsp;,&lt;/P&gt;&lt;P&gt;please share your search in text mode (using theInsert/Edit code sample button), otherwise it's realy difficoult to help you.&lt;/P&gt;&lt;P&gt;Ciao.&lt;/P&gt;&lt;P&gt;Giuseppe&lt;/P&gt;</description>
    <pubDate>Wed, 26 Jun 2024 18:09:47 GMT</pubDate>
    <dc:creator>gcusello</dc:creator>
    <dc:date>2024-06-26T18:09:47Z</dc:date>
    <item>
      <title>New User Looking for help comparing values</title>
      <link>https://community.splunk.com/t5/Splunk-Search/New-User-Looking-for-help-comparing-values/m-p/691726#M235512</link>
      <description>&lt;P&gt;Hi All! First post, super new user to Splunk.&amp;nbsp;&lt;BR /&gt;&lt;BR /&gt;Have a search that i modified from a one a team member previously created, im trying to take the output of ClientVersion and compare the 6wkAvg count to the Today count for same timespan and see what the percentage -/+ is. Ultimately building towards alerting when below a certain threshold.&amp;nbsp;&lt;BR /&gt;&lt;BR /&gt;&lt;/P&gt;&lt;LI-CODE lang="python"&gt;| fields _time ClientVersion 
| eval DoW=strftime(_time, "%A")
| eval TodayDoW=strftime(now(), "%A")
| where DoW=TodayDoW
| search ClientVersion=FAPI*
| eval ClientVersion=if((like("ClientVersion=FAPI*","%OR%") OR false()) AND false(), "Combined", ClientVersion)
| bin _time span=5m 
| eval tempTime=strftime(_time,"%m/%d")
| where (tempTime!="null") 
| eval tempTime=if(true() AND _time &amp;lt; relative_time(now(), "@d"), "6wkAvg", "Today")
| stats count by ClientVersion _time tempTime
| eval _time=round(strptime(strftime(now(),"%Y-%m-%d").strftime(_time,"%H:%M:%S"),"%Y-%m-%d%H:%M:%S"),0)
| stats avg(count) as count by ClientVersion _time tempTime
| eval ClientVersion=ClientVersion."-".tempTime 
| eval count=round(count,0)&lt;/LI-CODE&gt;&lt;P&gt;&lt;BR /&gt;&lt;BR /&gt;&lt;/P&gt;&lt;P&gt;&lt;span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="chorn3567_1-1719424980247.png" style="width: 400px;"&gt;&lt;img src="https://community.splunk.com/t5/image/serverpage/image-id/31476i8071A0A6E485535B/image-size/medium?v=v2&amp;amp;px=400" role="button" title="chorn3567_1-1719424980247.png" alt="chorn3567_1-1719424980247.png" /&gt;&lt;/span&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Wed, 26 Jun 2024 18:21:13 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Splunk-Search/New-User-Looking-for-help-comparing-values/m-p/691726#M235512</guid>
      <dc:creator>chorn3567</dc:creator>
      <dc:date>2024-06-26T18:21:13Z</dc:date>
    </item>
    <item>
      <title>Re: New User Looking for help comparing values</title>
      <link>https://community.splunk.com/t5/Splunk-Search/New-User-Looking-for-help-comparing-values/m-p/691727#M235513</link>
      <description>&lt;P&gt;Hi&amp;nbsp;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/269438"&gt;@chorn3567&lt;/a&gt;&amp;nbsp;,&lt;/P&gt;&lt;P&gt;please share your search in text mode (using theInsert/Edit code sample button), otherwise it's realy difficoult to help you.&lt;/P&gt;&lt;P&gt;Ciao.&lt;/P&gt;&lt;P&gt;Giuseppe&lt;/P&gt;</description>
      <pubDate>Wed, 26 Jun 2024 18:09:47 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Splunk-Search/New-User-Looking-for-help-comparing-values/m-p/691727#M235513</guid>
      <dc:creator>gcusello</dc:creator>
      <dc:date>2024-06-26T18:09:47Z</dc:date>
    </item>
    <item>
      <title>Re: New User Looking for help comparing values</title>
      <link>https://community.splunk.com/t5/Splunk-Search/New-User-Looking-for-help-comparing-values/m-p/691729#M235514</link>
      <description>&lt;P&gt;updated post, thank you for the tip!&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Wed, 26 Jun 2024 18:22:01 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Splunk-Search/New-User-Looking-for-help-comparing-values/m-p/691729#M235514</guid>
      <dc:creator>chorn3567</dc:creator>
      <dc:date>2024-06-26T18:22:01Z</dc:date>
    </item>
    <item>
      <title>Re: New User Looking for help comparing values</title>
      <link>https://community.splunk.com/t5/Splunk-Search/New-User-Looking-for-help-comparing-values/m-p/691748#M235518</link>
      <description>&lt;P&gt;Thank you for updating to text as&amp;nbsp;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352"&gt;@gcusello&lt;/a&gt;&amp;nbsp;suggested. &amp;nbsp;It would be better if you can illustrate mock data in text tables as well.&lt;/P&gt;&lt;P&gt;It is hard to see how ClientVersion in 6wkAvg could be useful, but I'll just ignore this point. &amp;nbsp;Because the only numeric field is Count, I assume that you want percentage change on this field. &amp;nbsp;Splunk provides a convenient command&amp;nbsp;&lt;A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Xyseries" target="_blank" rel="noopener"&gt;xyseries&lt;/A&gt;&amp;nbsp;to swap fields into row values. &amp;nbsp;You can do something like this:&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;| xyseries _time tempTime ClientVersion Count
| eval percentChange = round(('Count: Today' - 'Count: 6wkAvg') / 'Count: 6wkAvg' * 100, 2)&lt;/LI-CODE&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Your mock data will give&lt;/P&gt;&lt;TABLE&gt;&lt;TBODY&gt;&lt;TR&gt;&lt;TD&gt;_time&lt;/TD&gt;&lt;TD&gt;ClientVersion: 6wkAvg&lt;/TD&gt;&lt;TD&gt;ClientVersion: Today&lt;/TD&gt;&lt;TD&gt;Count: 6wkAvg&lt;/TD&gt;&lt;TD&gt;Count: Today&lt;/TD&gt;&lt;TD&gt;percentChange&lt;/TD&gt;&lt;/TR&gt;&lt;TR&gt;&lt;TD&gt;2024-06-26 00:00:00&lt;/TD&gt;&lt;TD&gt;FAPI-6wkAvg&lt;/TD&gt;&lt;TD&gt;FAPI-today&lt;/TD&gt;&lt;TD&gt;1582&lt;/TD&gt;&lt;TD&gt;2123&lt;/TD&gt;&lt;TD&gt;34.20&lt;/TD&gt;&lt;/TR&gt;&lt;TR&gt;&lt;TD&gt;2024-06-26 00:05:00&lt;/TD&gt;&lt;TD&gt;FAPI-6wkAvg&lt;/TD&gt;&lt;TD&gt;FAPI-today&lt;/TD&gt;&lt;TD&gt;1491&lt;/TD&gt;&lt;TD&gt;1925&lt;/TD&gt;&lt;TD&gt;29.11&lt;/TD&gt;&lt;/TR&gt;&lt;TR&gt;&lt;TD&gt;2024-06-26 00:10:00&lt;/TD&gt;&lt;TD&gt;FAPI-6wkAvg&lt;/TD&gt;&lt;TD&gt;FAPI-today&lt;/TD&gt;&lt;TD&gt;1888&lt;/TD&gt;&lt;TD&gt;2867&lt;/TD&gt;&lt;TD&gt;51.85&lt;/TD&gt;&lt;/TR&gt;&lt;TR&gt;&lt;TD&gt;2024-06-26 00:15:00&lt;/TD&gt;&lt;TD&gt;FAPI-6wkAvg&lt;/TD&gt;&lt;TD&gt;FAPI-today&lt;/TD&gt;&lt;TD&gt;1983&lt;/TD&gt;&lt;TD&gt;2593&lt;/TD&gt;&lt;TD&gt;30.76&lt;/TD&gt;&lt;/TR&gt;&lt;TR&gt;&lt;TD&gt;2024-06-26 00:20:00&lt;/TD&gt;&lt;TD&gt;FAPI-6wkAvg&lt;/TD&gt;&lt;TD&gt;FAPI-today&lt;/TD&gt;&lt;TD&gt;2882&lt;/TD&gt;&lt;TD&gt;3291&lt;/TD&gt;&lt;TD&gt;14.19&lt;/TD&gt;&lt;/TR&gt;&lt;/TBODY&gt;&lt;/TABLE&gt;&lt;P&gt;Is this something you are looking for? &amp;nbsp;Here is an emulation you can play with and compare with real data&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;| makeresults format=csv data="ClientVersion,        _time, tempTime, Count
FAPI-6wkAvg,    2024-06-26 00:00:00, 6wkAvg, 1582
FAPI-today,    2024-06-26 00:00:00, Today, 2123
FAPI-6wkAvg,    2024-06-26 00:05:00, 6wkAvg, 1491
FAPI-today,    2024-06-26 00:05:00, Today, 1925
FAPI-6wkAvg,    2024-06-26 00:10:00, 6wkAvg, 1888
FAPI-today,    2024-06-26 00:10:00, Today, 2867
FAPI-6wkAvg,    2024-06-26 00:15:00, 6wkAvg, 1983
FAPI-today,    2024-06-26 00:15:00, Today, 2593
FAPI-6wkAvg,    2024-06-26 00:20:00, 6wkAvg, 2485
FAPI-today,    2024-06-26 00:20:00, Today, 2939
FAPI-6wkAvg,    2024-06-26 00:20:00, 6wkAvg, 2882
FAPI-today,    2024-06-26 00:20:00, Today, 3291"
``` the above emulates
...
| stats avg(count) as count by ClientVersion _time tempTime
| eval ClientVersion=ClientVersion."-".tempTime 
| eval count=round(count,0)
```&lt;/LI-CODE&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Wed, 26 Jun 2024 22:21:28 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Splunk-Search/New-User-Looking-for-help-comparing-values/m-p/691748#M235518</guid>
      <dc:creator>yuanliu</dc:creator>
      <dc:date>2024-06-26T22:21:28Z</dc:date>
    </item>
    <item>
      <title>Re: New User Looking for help comparing values</title>
      <link>https://community.splunk.com/t5/Splunk-Search/New-User-Looking-for-help-comparing-values/m-p/691848#M235529</link>
      <description>&lt;P&gt;simple as that, thank you! worked for me.&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Thu, 27 Jun 2024 13:34:31 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Splunk-Search/New-User-Looking-for-help-comparing-values/m-p/691848#M235529</guid>
      <dc:creator>chorn3567</dc:creator>
      <dc:date>2024-06-27T13:34:31Z</dc:date>
    </item>
  </channel>
</rss>

