Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Compare fields between yesterday and today

splunk4better
Engager
‎09-05-2020 06:05 AM

Hi All,

I am a newbie in Splunk world and looking for some help in structuring my query.

I have an index with data like this -

 

 

 

DATE		CUST_ID	CUST_NAME	ITEM_REF	CUST_PRICE	CUST_DISC
09/04/2020	012341	ERIC N		011111		199.00		0.10
09/04/2020	012342	RUBY N		011112		209.00		0.15
09/04/2020	012343	JULY N		011113		189.00		0.12
09/04/2020	012344	SEAN N		011114		619.00		0.18

09/05/2020	012341	ERIC N		011111		199.00		0.10
09/05/2020	012342	RUBY N		011112		229.00		0.12
09/05/2020	012343	JULY N		011114		139.00		0.19
09/05/2020	012344	SEAN N		011114		619.00		0.18

 

 

 

 

I am looking to build a query that will show me all the fields that have changed from yesterday (09/04/2020) and today (09/05/2020) based on the CUST_ID. The output will be like this

 

 

 

 

CUST_ID		CUST_NAME	ITEM_REF	CUST_PRICE	CUST_DISC
012342		RUBY N		011112		229.00		0.12
012343		JULY N		011114		139.00		0.19

 

 

 

 

I tried doing this (got some ideas in this forum) but could only do a comparison for one field (CUST_PRICE) and not for two or more fields based on the cust_id.
Is there a way I can show all the mismatched fields? (as shown above as an example)

 

 

 

 

index="cust_apps" sourcetype=DB earliest=-1d@d latest=now
| eval Day=if(_time<relative_time(now(),"@d"),"Yesterday","Today")
| chart values(CUST_PRICE) over CUST_ID by Day | where Yesterday!=Today | table CUST_ID Yesterday Today

 

 

 

 

Please help.

 

Thanks

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

thambisetty
SplunkTrust
SplunkTrust
‎09-05-2020 10:03 AM

 

index="cust_apps" sourcetype=DB earliest=-1d@d latest=now
| eval Day=if(_time<relative_time(now(),"@d"),"Yesterday","Today")
| eventstats count  by CUST_ID,CUST_NAME,ITEM_REF,CUST_PRICE,CUST_DISC
| search count=1 Day="Today"
| table CUST_ID,CUST_NAME,ITEM_REF,CUST_PRICE,CUST_DISC

 

————————————
If this helps, give a like below.

View solution in original post

Reply
Solved! Jump to solution
Solution

thambisetty
SplunkTrust
SplunkTrust
‎09-05-2020 10:03 AM

 

index="cust_apps" sourcetype=DB earliest=-1d@d latest=now
| eval Day=if(_time<relative_time(now(),"@d"),"Yesterday","Today")
| eventstats count  by CUST_ID,CUST_NAME,ITEM_REF,CUST_PRICE,CUST_DISC
| search count=1 Day="Today"
| table CUST_ID,CUST_NAME,ITEM_REF,CUST_PRICE,CUST_DISC

 

————————————
If this helps, give a like below.
Reply
Solved! Jump to solution

splunk4better
Engager
‎09-06-2020 06:59 AM

Thanks a lot. the query is working.

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...