Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Compare fields between yesterday and today

splunk4better
Engager
‎09-05-2020 06:05 AM

Hi All,

I am a newbie in Splunk world and looking for some help in structuring my query.

I have an index with data like this -

 

 

 

DATE		CUST_ID	CUST_NAME	ITEM_REF	CUST_PRICE	CUST_DISC
09/04/2020	012341	ERIC N		011111		199.00		0.10
09/04/2020	012342	RUBY N		011112		209.00		0.15
09/04/2020	012343	JULY N		011113		189.00		0.12
09/04/2020	012344	SEAN N		011114		619.00		0.18

09/05/2020	012341	ERIC N		011111		199.00		0.10
09/05/2020	012342	RUBY N		011112		229.00		0.12
09/05/2020	012343	JULY N		011114		139.00		0.19
09/05/2020	012344	SEAN N		011114		619.00		0.18

 

 

 

 

I am looking to build a query that will show me all the fields that have changed from yesterday (09/04/2020) and today (09/05/2020) based on the CUST_ID. The output will be like this

 

 

 

 

CUST_ID		CUST_NAME	ITEM_REF	CUST_PRICE	CUST_DISC
012342		RUBY N		011112		229.00		0.12
012343		JULY N		011114		139.00		0.19

 

 

 

 

I tried doing this (got some ideas in this forum) but could only do a comparison for one field (CUST_PRICE) and not for two or more fields based on the cust_id.
Is there a way I can show all the mismatched fields? (as shown above as an example)

 

 

 

 

index="cust_apps" sourcetype=DB earliest=-1d@d latest=now
| eval Day=if(_time<relative_time(now(),"@d"),"Yesterday","Today")
| chart values(CUST_PRICE) over CUST_ID by Day | where Yesterday!=Today | table CUST_ID Yesterday Today

 

 

 

 

Please help.

 

Thanks

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

thambisetty
SplunkTrust
SplunkTrust
‎09-05-2020 10:03 AM

 

index="cust_apps" sourcetype=DB earliest=-1d@d latest=now
| eval Day=if(_time<relative_time(now(),"@d"),"Yesterday","Today")
| eventstats count  by CUST_ID,CUST_NAME,ITEM_REF,CUST_PRICE,CUST_DISC
| search count=1 Day="Today"
| table CUST_ID,CUST_NAME,ITEM_REF,CUST_PRICE,CUST_DISC

 

————————————
If this helps, give a like below.

View solution in original post

Reply
Solved! Jump to solution
Solution

thambisetty
SplunkTrust
SplunkTrust
‎09-05-2020 10:03 AM

 

index="cust_apps" sourcetype=DB earliest=-1d@d latest=now
| eval Day=if(_time<relative_time(now(),"@d"),"Yesterday","Today")
| eventstats count  by CUST_ID,CUST_NAME,ITEM_REF,CUST_PRICE,CUST_DISC
| search count=1 Day="Today"
| table CUST_ID,CUST_NAME,ITEM_REF,CUST_PRICE,CUST_DISC

 

————————————
If this helps, give a like below.
Reply
Solved! Jump to solution

splunk4better
Engager
‎09-06-2020 06:59 AM

Thanks a lot. the query is working.

Tags (1)
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...