Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Compare fields between yesterday and today

splunk4better
Engager
‎09-05-2020 06:05 AM

Hi All,

I am a newbie in Splunk world and looking for some help in structuring my query.

I have an index with data like this -

 

 

 

DATE		CUST_ID	CUST_NAME	ITEM_REF	CUST_PRICE	CUST_DISC
09/04/2020	012341	ERIC N		011111		199.00		0.10
09/04/2020	012342	RUBY N		011112		209.00		0.15
09/04/2020	012343	JULY N		011113		189.00		0.12
09/04/2020	012344	SEAN N		011114		619.00		0.18

09/05/2020	012341	ERIC N		011111		199.00		0.10
09/05/2020	012342	RUBY N		011112		229.00		0.12
09/05/2020	012343	JULY N		011114		139.00		0.19
09/05/2020	012344	SEAN N		011114		619.00		0.18

 

 

 

 

I am looking to build a query that will show me all the fields that have changed from yesterday (09/04/2020) and today (09/05/2020) based on the CUST_ID. The output will be like this

 

 

 

 

CUST_ID		CUST_NAME	ITEM_REF	CUST_PRICE	CUST_DISC
012342		RUBY N		011112		229.00		0.12
012343		JULY N		011114		139.00		0.19

 

 

 

 

I tried doing this (got some ideas in this forum) but could only do a comparison for one field (CUST_PRICE) and not for two or more fields based on the cust_id.
Is there a way I can show all the mismatched fields? (as shown above as an example)

 

 

 

 

index="cust_apps" sourcetype=DB earliest=-1d@d latest=now
| eval Day=if(_time<relative_time(now(),"@d"),"Yesterday","Today")
| chart values(CUST_PRICE) over CUST_ID by Day | where Yesterday!=Today | table CUST_ID Yesterday Today

 

 

 

 

Please help.

 

Thanks

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

thambisetty
SplunkTrust
SplunkTrust
‎09-05-2020 10:03 AM

 

index="cust_apps" sourcetype=DB earliest=-1d@d latest=now
| eval Day=if(_time<relative_time(now(),"@d"),"Yesterday","Today")
| eventstats count  by CUST_ID,CUST_NAME,ITEM_REF,CUST_PRICE,CUST_DISC
| search count=1 Day="Today"
| table CUST_ID,CUST_NAME,ITEM_REF,CUST_PRICE,CUST_DISC

 

————————————
If this helps, give a like below.

View solution in original post

Reply
Solved! Jump to solution
Solution

thambisetty
SplunkTrust
SplunkTrust
‎09-05-2020 10:03 AM

 

index="cust_apps" sourcetype=DB earliest=-1d@d latest=now
| eval Day=if(_time<relative_time(now(),"@d"),"Yesterday","Today")
| eventstats count  by CUST_ID,CUST_NAME,ITEM_REF,CUST_PRICE,CUST_DISC
| search count=1 Day="Today"
| table CUST_ID,CUST_NAME,ITEM_REF,CUST_PRICE,CUST_DISC

 

————————————
If this helps, give a like below.
Reply
Solved! Jump to solution

splunk4better
Engager
‎09-06-2020 06:59 AM

Thanks a lot. the query is working.

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...