Re: Compare the stats output value

prettysunshinez · ‎10-11-2021

State Date Desc Count
bc 11102021 vm 234569
bc 12102021 vm 456328
bc 11102021 vm 234569
bc 12102021 vm 4532178
cd 11102021 vm 234000
cd 12102021 vm 234000
cd 11102021 vm 234000
cd 12102021 vm 568902

From the stats output (such as above),I would like to first group them as per state, then compare the count[0] with that of count[1] and then count[2] with count [3] and then count [3] with count [0],if any one matches then should be displayed as result.

In the above case for state=cd,index[0] and index[1] are same,so the expect result is

State Date Desc Count

cd 11102021 vm 234000
cd 12102021 vm 234000

Please assist

ITWhisperer · ‎10-12-2021

| makeresults
| eval _raw="State,Date,Desc,Count
bc,11102021,vm,234569
bc,12102021,vm,456328
bc,11102021,vm,234569
bc,12102021,vm,4532178
cd,11102021,vm,234000
cd,12102021,vm,234000
cd,11102021,vm,234000
cd,12102021,vm,568902"
| multikv forceheader=1
| table State,Date,Desc,Count
| streamstats count as row by State
| eval row=if(row=4,mvappend(row,"0"),row)
| mvexpand row
| sort 0 State -row
| streamstats values(Count) as next current=f window=1 by State
| where row>0 AND Count=next
| sort 0 State row

Compare the stats output value

tstats

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!