Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Apps and Add-ons
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- Re: comparing results from 2 days
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
michal_centralw
Explorer
06-11-2014
07:57 AM
Hi,
Is there a way to compare results of number of hosts reporting from 2 different days and show only the one which are different?
I tried the following search
unix_category="WEB PROD" earliest=-0d@d latest=now | dedup host| table host | sort by host | append [search unix_category="WEB PROD" earliest=-1d@d latest=-0d@d]
But that was only showing me all the hosts, not the difference.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
06-11-2014
08:58 AM
Try this
| set diff [search unix_category="WEB PROD" earliest=-0d@d latest=now | stats count by host | fields - count] [search unix_category="WEB PROD" earliest=-1d@d latest=@d| stats count by host | fields - count]
OR
unix_category="WEB PROD" earliest=-2d@d latest=now | stats values(date_mday) as Days by host | where mvcount(Days)=1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
06-11-2014
08:58 AM
Try this
| set diff [search unix_category="WEB PROD" earliest=-0d@d latest=now | stats count by host | fields - count] [search unix_category="WEB PROD" earliest=-1d@d latest=@d| stats count by host | fields - count]
OR
unix_category="WEB PROD" earliest=-2d@d latest=now | stats values(date_mday) as Days by host | where mvcount(Days)=1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
aweitzman
Motivator
06-11-2014
09:46 AM
One thing that works nicely with the "| set diff" answer is to copy the field you're comparing to one with a different name (eval host2=host | stats count by host2) in the second search. Then when you get the results, each set's difference is in its own column (rather than combined together).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
michal_centralw
Explorer
06-11-2014
09:40 AM
superb! the first search worked like a charm!
Get Updates on the Splunk Community!
Exciting News: The AppDynamics Community Joins Splunk!
Hello Splunkers,
I’d like to introduce myself—I’m Ryan, the former AppDynamics Community Manager, and I’m ...
The All New Performance Insights for Splunk
Splunk gives you amazing tools to analyze system data and make business-critical decisions, react to issues, ...
Good Sourcetype Naming
When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...
