- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: Comparing data on two sets obtained from two d...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Comparing data on two sets obtained from two different date ranges?
My data looks something like this
C1 C2 C3 C4 date
1 2 3 4 xx-xx-xxxx
3 4 3 1 xx-xx-xxxx
5 6 7 6 xx-xx-xxxx
C1 C2 C3 C4 date
4 5 3 4 yy-yy-yyyy
2 4 6 1 yy-yy-yyyy
7 4 7 0 yy-yy-yyyy
I am to extract this data from two different dates and compare their means etc.
How should I proceed ?
Any suggestions are welcome.
What I want to do :
Extract data from both dates in a single query
compare means on each column in both sets
display output in the form of a range map or a tabset icon inline.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Getting both sets of results based on the choice of dates in a single query is
how far I have got till now. take a look.
index=abcd host=pqrs* earliest=07/01/2015:00:0:0 latest=07/02/2015:01:0:0 | fields DUR, TYPE | timechart limit=0 span=10m count, avg(DUR) by TYPE | eval dataset=1 | append[index=abcd host=pqrs* earliest=07/03/2015:00:0:0 latest=07/04/2015:01:0:0 | fields DUR, TYPE | timechart limit=0 span=10m count, avg(DUR) by TYPE | eval dataset=2]
abcd pqrs are just for an idea.
My next step is to calculate means of each field/column for the corresponding data set and compare the means and output the results of the comparison in the form of a rangemap or tabset icon(inline).
Any suggestions/recommendations are welcome.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I am correct you have two time ranges to be compared in one report-
-http://blogs.splunk.com/2012/02/19/compare-two-time-ranges-in-one-report/
Use date format instead of relative time.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for that @jensonthottian.
But,
I have about 180 items/fields that are being measured. I need to do a statistical analysis on each of the 180 fields/entities and then compare them over the time ranges.
How should I proceed in this case?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Take a look at the Timewrap app: https://splunkbase.splunk.com/app/1645/
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
