Dashboards & Visualizations

How do I compare today’s and yesterday’s data to highlight

chriswn
Observer

I have the following table. If the number of scg fail on the day is twice that of the previous day, I want to highlight it. How should I do.

Hope you can help. Thanks!

datescg_fail_number
1/0112
1/0224
1/0330
1/0460
 
 

 

Labels (2)
0 Karma

manjunathmeti
Champion

hi @chriswn ,
Use delta command. Try this:

| makeresults 
| eval _raw="date	scg_fail_number
1/01	12
1/02	24
1/03	30
1/04	60
1/05	20" 
| multikv forceheader=1 
| delta scg_fail_number as diff 
| eval is_twice=if(2*diff>=scg_fail_number, "YES", "NO")
| table date, scg_fail_number, is_twice

 

If this reply helps you, an upvote/like would be appreciated.

0 Karma

chriswn
Observer

hi 

Thanks for your reply.

But what I want is what I show, I don’t want to add new fields.

 

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...