- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Comparing Field Value with last Month Value an...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi , I need help with following Log :
5th May device="devicename" policy="XYZ" BW_Limit="any number" Total_BW="any number"
4th June device="devicename" policy="XYZ" BW_Limit="any number" Total_BW="any number"
I have multiple logs coming for different devices like above and i would like to compare BW_Limit variable with last month value of same variable for different devices and then show only for those devices which have different BW_Limit value in latest month so i can find out which all devices have BW_Limit got changed and table last month BW_Limit and this month changed BW_Limit value . Unable to get this working and would need help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @atulitm,
Have you tried something like this, run this over any period and it will compare the latest and earliest value of your BW_Limit field for devices and return those that are different :
index=yourIndex sourcetype=yourSourcetype
| stats earliest(BW_Limit) as old_ BW_Limit, latest(BW_Limit) as new_BW_Limit by device
| where old_ BW_Limit!=new_BW_Limit
Cheers,
David
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @atulitm,
You can have a subsearch(with its own specified timerange using earliest and latest arguement) which gets BW_Limit value from a month before 30 days as follows:
index="your_index" device="devicename" policy="XYZ" BW_Limit="any number"
| join device policy BW_Limit
[| search index="your_index" device="devicename" policy="XYZ" BW_Limit="any number" earliest=-60d@d latest=-30d@d
| rename BW_Limit as old_BW_Limit]
| where BW_Limit!=old_BW_Limit
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @atulitm,
Have you tried something like this, run this over any period and it will compare the latest and earliest value of your BW_Limit field for devices and return those that are different :
index=yourIndex sourcetype=yourSourcetype
| stats earliest(BW_Limit) as old_ BW_Limit, latest(BW_Limit) as new_BW_Limit by device
| where old_ BW_Limit!=new_BW_Limit
Cheers,
David
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks David , It works . is there any way i can look for last log by device instead of earliest which will show the oldest log in time frame mentioned instead . Like if i have 5 log entries for same device in last 7 days and i want to check only last log and latest log by Device for difference in BW_Limit . is that possible to do .
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks David . I will try to create one .
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes sir you can ! Have a look here : https://answers.splunk.com/answers/150909/how-can-i-get-the-previous-value-of-the-field-that-im-comp...
You'll have to run streamstatsto make a new field called previous value before you run the stats command in the answer here.
Let me know if you're able to it and please upvote and accept the answer if it was helpful 🙂
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
