Splunk Dev

Compare result count

bharathkumarnec
Contributor

HI All,

I would like to compare the result count today with the count same date last month.

Kindly let me know the best way to achieve this.

Regards,
BK

0 Karma

mayurr98
Super Champion

hey try this!

you can use timewrap command!
https://splunkbase.splunk.com/app/1645/

index=<your_index> | timechart count span=1d  | timewrap m | sort- _time

Run this for last two months!

I hope this helps you!

0 Karma

cmerriman
Super Champion

building off of this answer
here is some documentation on timewrap:
http://docs.splunk.com/Documentation/Splunk/7.0.1/SearchReference/Timewrap
Timewrap is an app in Splunkbase and was made into a Splunk function either in 6.5 or 6.6, I believe. So if you have an older version of Splunk, you may need to install https://splunkbase.splunk.com/app/1645/
if you want a comparison for percent change day over day, add this:
| rename 1month_before as last_month |eval perc_change=round(((latest_month - last_month)/abs(last_month))*100,2)

0 Karma

cmerriman
Super Champion

do you have any syntax worked out as so far? are you looking to compare the count from today (Jan 8, 2018) to the same day last month (Dec 8, 2017) or more month over month count?

0 Karma

bharathkumarnec
Contributor

@cmerriman, No i dont have any and yes the one you mentioned is what i am looking for!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...