https://community.splunk.com/t5/Splunk-Search/How-to-search-the-percentage-change-between-multiple-dates/m-p/223329#M65743 <P>Have you looked at appendcols?</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.3.1/SearchReference/Appendcols">http://docs.splunk.com/Documentation/Splunk/6.3.1/SearchReference/Appendcols</A></P> Tue, 10 Nov 2015 17:03:05 GMT sundareshr 2015-11-10T17:03:05Z https://community.splunk.com/t5/Splunk-Search/How-to-search-the-percentage-change-between-multiple-dates/m-p/223328#M65742 <P>So I loaded some old stock market data into Splunk and now I'm trying to make a big table that shows the percentage change from 1 week ago, 1 month ago etc.</P> <P>What I want to end up with is something like this:<BR /> ** symbol | 1w change | 1m change **<BR /> SPY | 5% | 10%<BR /> SPLK | 3% | 15%</P> <P>All events have the fields like this:</P> <PRE><CODE>Adj Close = 210.039993 Close = 210.039993 Date = 2015-11-06 High = 210.320007 Low = 208.460007 Open = 209.740005 Volume = 105423100 category = Large Blend index = quote name = SPDR S&amp;P 500 ETF sourcetype = his_quote symbol = SPY </CODE></PRE> <P>Is it possible to do what I want to? I have not been able to get close to what I want. </P> <P>I tried to do something like this (pseudo code), but it is not working for me. </P> <PRE><CODE>search get all quote data | save latest as close_now | subsearch [ search earliest=-1w | save latest as close_1w_ago | eval diff_pct=(close_now-close_1w_ago)/close_1w_ago*100 | table symbol diff_pct as "1w change" </CODE></PRE> <P>Any help would be appreciated</P> Tue, 10 Nov 2015 05:39:55 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-the-percentage-change-between-multiple-dates/m-p/223328#M65742 jihape 2015-11-10T05:39:55Z https://community.splunk.com/t5/Splunk-Search/How-to-search-the-percentage-change-between-multiple-dates/m-p/223329#M65743 <P>Have you looked at appendcols?</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.3.1/SearchReference/Appendcols">http://docs.splunk.com/Documentation/Splunk/6.3.1/SearchReference/Appendcols</A></P> Tue, 10 Nov 2015 17:03:05 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-the-percentage-change-between-multiple-dates/m-p/223329#M65743 sundareshr 2015-11-10T17:03:05Z https://community.splunk.com/t5/Splunk-Search/How-to-search-the-percentage-change-between-multiple-dates/m-p/223330#M65744 <P>I figured it out.</P> <PRE><CODE>index=quote earliest=-1w latest=now | stats earliest(Close) as e_close latest(Close) as l_close by symbol | eval 1w=(l_close-e_close)/e_close*100 | appendcols [ search index=quote earliest=-2w latest=now | stats earliest(Close) as e_close latest(Close) as l_close by symbol | eval 2w=(l_close-e_close)/e_close*100 ] | fields symbol 1w 2w </CODE></PRE> Fri, 13 Nov 2015 03:16:33 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-the-percentage-change-between-multiple-dates/m-p/223330#M65744 jihape 2015-11-13T03:16:33Z