Solved: can some explain this search please

vikram1583 · ‎04-16-2020

to4kawa · ‎04-16-2020

|eval _time= strftime(_time, "%Y-%m-%d")
|stats latest(AssetRiskScore) as score by _time AssetNames
| sort 0 - _time
| dedup 2 AssetNames 
| reverse
| streamstats current=f last(score) AS prev_score BY AssetNames
| eval change = score - prev_score

chang epoch time to text like 2020-04-15
aggregate by _time and AssetNames this display latest AssetRiskScore values as score
sort _time ascending
keep only first two AssetNames
sort _time descending
by each AssetNames, display just before score value(like autoregress)
calculate change

View solution in original post

to4kawa · ‎04-16-2020

|eval _time= strftime(_time, "%Y-%m-%d")
|stats latest(AssetRiskScore) as score by _time AssetNames
| sort 0 - _time
| dedup 2 AssetNames 
| reverse
| streamstats current=f last(score) AS prev_score BY AssetNames
| eval change = score - prev_score

chang epoch time to text like 2020-04-15
aggregate by _time and AssetNames this display latest AssetRiskScore values as score
sort _time ascending
keep only first two AssetNames
sort _time descending
by each AssetNames, display just before score value(like autoregress)
calculate change

to4kawa · ‎04-17-2020

If I make it:

 |eval _time= strftime(_time, "%Y-%m-%d")
 |stats range(AssetRiskScore) as change min(AssetRiskScore) as prev_score max(AssetRiskScore) as score by _time AssetNames

This is enough.

can some explain this search please

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!