How to get diff between previous day vs current?

Ghanayem1974 · ‎06-25-2018

the below search provides me info on failed logins for the past month, for example the last four fridays now i want to alert when a spike occurs for that day or any other day but i am lost at the where diff > any ideas?

|tstats count values(Authentication.action) as Action from datamodel="Authentication" where (index=something Authentication.action="failure") by _time span=1day
| eval week_day=strftime(_time,"%a")| sort week_day| streamstats current=f last(current) as prev by week_day
| eval diff=abs(current-prev)
| where diff > blahblah

renjith_nair · ‎06-26-2018

@Ghanayem1974 ,
Try similar to

|tstats count as current where index=_internal by _time
 |eval week_day=strftime(_time,"%a")|sort week_day
 |streamstats current=f last(current) as prev by week_day|fillnull value="NA"
 |eval diff=if(prev=="NA",current,abs(current-prev))
 |eval perc_of_change=round((diff/prev)*100,2)|where perc_of_change > 20

---
What goes around comes around. If it helps, hit it with Karma 🙂

How to get diff between previous day vs current?

Application management with Targeted Application Install for Victoria Experience

Index This | What goes up and never comes down?

Splunkers, Pack Your Bags: Why Cisco Live EMEA is Your Next Big Destination

Join the Conversation

How to get diff between previous day vs current?

Application management with Targeted Application Install for Victoria Experience

Index This | What goes up and never comes down?

Splunkers, Pack Your Bags: Why Cisco Live EMEA is Your Next Big Destination