Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to get diff between previous day vs current?

Ghanayem1974
Path Finder
‎06-25-2018 09:18 AM

the below search provides me info on failed logins for the past month, for example the last four fridays now i want to alert when a spike occurs for that day or any other day but i am lost at the where diff > any ideas?

|tstats count values(Authentication.action) as Action from datamodel="Authentication" where (index=something Authentication.action="failure") by _time span=1day
| eval week_day=strftime(_time,"%a")| sort week_day| streamstats current=f last(current) as prev by week_day
| eval diff=abs(current-prev)
| where diff > blahblah

0 Karma
Reply

renjith_nair
Legend
‎06-26-2018 12:53 AM

@Ghanayem1974 ,
Try similar to

|tstats count as current where index=_internal by _time
 |eval week_day=strftime(_time,"%a")|sort week_day
 |streamstats current=f last(current) as prev by week_day|fillnull value="NA"
 |eval diff=if(prev=="NA",current,abs(current-prev))
 |eval perc_of_change=round((diff/prev)*100,2)|where perc_of_change > 20
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...