Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

file name comparison between today vs yesterday

selvam_sekar
Path Finder
‎12-11-2023 07:24 AM

Hi,

I want to create the panel (table) to monitor the todays data vs yesterdays log data as below. 

Please could you help ? how to get the missed data

Current SPL:

basesearch
| stats count as Count_Today by User
| appendcols
[ basesearch
| stats count as Count_Yesterday by User]
| eval Missing=abs(round(VOLUMELASTWEEK-VOLUMETODAY))
| table User Count_Today Count_Yesterday Missing

Expected Result:

UserCount_TodayCount_YesterdayMissingMissed File Name
ABC541abc*

 

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-11-2023 08:08 AM

appendcols is not often the way to go, as is probably the case here too.

The reason for that is the the events which are appended are not correlated with the first set of results, e.g. by user.

You could try using chart

 

basesearch (including both days)
| bin _time span=1d
| chart count by user _time

 

This will at least give you the counts so you can subtract one day's count from the other.

However, find out which file or files are missing, is more tricky.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-11-2023 08:08 AM

appendcols is not often the way to go, as is probably the case here too.

The reason for that is the the events which are appended are not correlated with the first set of results, e.g. by user.

You could try using chart

 

basesearch (including both days)
| bin _time span=1d
| chart count by user _time

 

This will at least give you the counts so you can subtract one day's count from the other.

However, find out which file or files are missing, is more tricky.

0 Karma
Reply
Solved! Jump to solution

selvam_sekar
Path Finder
‎12-12-2023 04:19 AM

is there a way to get the difference between today's volume difference vs yesterdays volume difference in percentage ?

Current SPL:

base search earliest=-1d@d latest=now
| eval Day=if(_time<relative_time(now(),"@d"),"Yesterday","Today")
| chart count by User_Id, Day.

Expected Result:

User_IdTodayYesterdayPercentage_Difference
abc510100%
xyz24100%

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-12-2023 04:37 AM

I have no idea what that means, can you give an example of your expected results and how you think they should be calculated?

0 Karma
Reply
Solved! Jump to solution

selvam_sekar
Path Finder
‎12-12-2023 04:57 AM

sure. for example, user called abc uploaded two files today with name as abc.1 , abc.2.

the same user abc uploaded four files yesterday abc.1, abc.2, abc.3, abc.4.

I want to create the table, with  user name and uploaded files count today and yesterday.. what is missing file count from previous day.

in this scenario,

UserTodayYesterdayMissing File from previous Day
abc242 ( in Percentage) 100% 

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-12-2023 05:26 AM

How is 2 missing 100%? 100% of what?

0 Karma
Reply
Solved! Jump to solution

selvam_sekar
Path Finder
‎12-12-2023 05:42 AM

sorry my bad, it should be 50% variance. Today =2, yesterday 4

 

(Yesterday count - Today count / Yesterday  count )* 100

(4-2 /4)* 100 = >2/4 *100 ==> 50%

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-12-2023 05:47 AM 
base search earliest=-1d@d latest=now
| eval Day=if(_time<relative_time(now(),"@d"),"Yesterday","Today")
| chart count by User_Id, Day
| eval Percentage_Difference = ((Yesterday - Today) / Yesterday) * 100
0 Karma
Reply
Solved! Jump to solution

selvam_sekar
Path Finder
‎12-12-2023 06:03 AM

Many thanks for your time and insights @ITWhisperer  🙂 it works as expected.

0 Karma
Reply
Solved! Jump to solution

selvam_sekar
Path Finder
‎12-11-2023 08:51 AM

Sure, thanks for the note.

 

is it possible for finding the missing file ? any reference

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-11-2023 09:00 AM 
| bin _time span=1d
| stats count by user file _time
| eval days_ago = ((relative_time(now(), "@d") - _time) / 84600) + 1
| stats sum(days_ago) as day_flag by user file
| where day_flag < 3

This will give you day_flag = 1 if the file was missing yesterday and day_flag = 2 if the file was missing today

0 Karma
Reply
Solved! Jump to solution

selvam_sekar
Path Finder
‎12-12-2023 09:28 AM

 I tried this and it seems to returns no results. What I am trying is to compare the file received previous day and whether that's is there in today. and return the actual file name.

for example,

file name in the log say abc.1, abc.2 received previous day and today it will be expected that the same file names and counts are received. Due to some reason, if  abc.1 is not received and we want to display, the abc.1

Current SPL:

basesearch

| bin _time span=1d
| eval days_ago = ((relative_time(now(), "@d") - _time) / 84600) + 1
| stats sum(days_ago) as day_flag by User_Id file
| where day_flag < 3

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-12-2023 09:53 AM

There was a typo in my solution - try this

basesearch

| bin _time span=1d
| eval days_ago = ((relative_time(now(), "@d") - _time) / 86400) + 1
| stats sum(days_ago) as day_flag by User_Id file
| where day_flag < 3
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...