Solved: How create an alert to compare yesterday and today...

vrmandadi · ‎05-12-2022

I am trying to create an alert which will compare yesterday and today for a particular field and show what is the difference.

I want to count the total for field called "id" for today and compare the count with yesterday and show the count difference and the id's which are different .

richgalloway · ‎05-12-2022

See if this helps at all.

index=foo earliest=-1d@d latest=@d
| stats count as yesterday by id
| append [ search index=foo earliest=@d latest=now | stats count as today by id ]
| stats values(*) as * by id
| eval diff = today - yesterday

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎05-12-2022

See if this helps at all.

index=foo earliest=-1d@d latest=@d
| stats count as yesterday by id
| append [ search index=foo earliest=@d latest=now | stats count as today by id ]
| stats values(*) as * by id
| eval diff = today - yesterday

---
If this reply helps you, Karma would be appreciated.

vrmandadi · ‎05-21-2022

Thank You

How create an alert to compare yesterday and today and show the difference for a value?

alert condition

other

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor