Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Calculate total count difference per day

Sfry1981
Communicator
‎04-29-2020 07:50 AM

I have a set of data like the below

total=2000
date=2020-04-29

total=1975
date=2020-04-28

total=1951
date=2020-04-27

What I want to produce is a chart that shows the difference per day of these totals i.e as per the below

total difference = 25
date=2020-04-29

total difference=24
date=2020-04-28

total=33
date=2020-04-27

etc

I need a calculation of the difference per day

my raw data already has the total and date in so its a straight calculation from that data

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎04-29-2020 08:00 AM

@Sfry1981

Can you please try this?

YOUR_SEARCH | eval t=strptime(date,"%Y-%m-%d") | sort t | streamstats window=2 first(total) as p | eval diff=total-p | table date total diff

Sample Search:

| makeresults | eval  total=2000, date="2020-04-29"
| append [ | makeresults | eval total=1975,date="2020-04-28"]
| append [ | makeresults | eval total=1951, date="2020-04-27"] | eval t=strptime(date,"%Y-%m-%d") | sort t | streamstats window=2 first(total) as p | eval diff=total-p | table date total diff

Just change search as per your requirement.

View solution in original post

Reply
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎04-29-2020 08:00 AM

@Sfry1981

Can you please try this?

YOUR_SEARCH | eval t=strptime(date,"%Y-%m-%d") | sort t | streamstats window=2 first(total) as p | eval diff=total-p | table date total diff

Sample Search:

| makeresults | eval  total=2000, date="2020-04-29"
| append [ | makeresults | eval total=1975,date="2020-04-28"]
| append [ | makeresults | eval total=1951, date="2020-04-27"] | eval t=strptime(date,"%Y-%m-%d") | sort t | streamstats window=2 first(total) as p | eval diff=total-p | table date total diff

Just change search as per your requirement.

Reply
Solved! Jump to solution

Sfry1981
Communicator
‎04-29-2020 08:11 AM

@kamlesh_vaghela

As the date was in a string format i removed "eval t=strptime(date,"%Y-%m-%d")" and then it worked. Thanks 🙂

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎04-29-2020 08:24 AM

cool @Sfry1981

Glad to help you

0 Karma
Reply
Solved! Jump to solution

Sfry1981
Communicator
‎04-29-2020 08:34 AM

@kamlesh_vaghela i have 1 issue. It shows all the previous figures as minus so it inverts the graphs but i want them to show as positives. I tried "| eval mynum=abs(mynum)" but this doesnt work. Do you know how to amend?

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎04-29-2020 09:54 PM

@Sfry1981

| eval mynum=abs(mynum) should work.

Try:
|makeresults count=10 | eval a=-1 | accum a |eval mynum=a | eval mynum=abs(mynum)

Can you please share your sample search and sample value you getting in mynum?

0 Karma
Reply
Solved! Jump to solution

Sfry1981
Communicator
‎04-30-2020 12:20 AM

sorry @kamlesh_vaghela It was my mistake, where i was charting i was using the incorrect value. School boy error. All working again. Thanks for all your help.

0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...