Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Comparing Field Value with last Month Value and show if different

atulitm
Path Finder
‎06-04-2019 01:12 AM

Hi , I need help with following Log :

5th May device="devicename" policy="XYZ" BW_Limit="any number" Total_BW="any number"
4th June device="devicename" policy="XYZ" BW_Limit="any number" Total_BW="any number"

I have multiple logs coming for different devices like above and i would like to compare BW_Limit variable with last month value of same variable for different devices and then show only for those devices which have different BW_Limit value in latest month so i can find out which all devices have BW_Limit got changed and table last month BW_Limit and this month changed BW_Limit value . Unable to get this working and would need help

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DavidHourani
Super Champion
‎06-04-2019 01:20 AM

Hi @atulitm,

Have you tried something like this, run this over any period and it will compare the latest and earliest value of your BW_Limit field for devices and return those that are different :

index=yourIndex sourcetype=yourSourcetype 
| stats earliest(BW_Limit) as old_ BW_Limit, latest(BW_Limit) as new_BW_Limit by device
| where old_ BW_Limit!=new_BW_Limit

Cheers,
David

View solution in original post

0 Karma
Reply
Solved! Jump to solution

harshpatel
Contributor
‎06-04-2019 02:03 AM

Hi @atulitm,

You can have a subsearch(with its own specified timerange using earliest and latest arguement) which gets BW_Limit value from a month before 30 days as follows:

index="your_index" device="devicename" policy="XYZ" BW_Limit="any number" 
| join device policy BW_Limit 
    [| search index="your_index" device="devicename" policy="XYZ" BW_Limit="any number" earliest=-60d@d latest=-30d@d 
    | rename BW_Limit as old_BW_Limit] 
| where BW_Limit!=old_BW_Limit
0 Karma
Reply
Solved! Jump to solution
Solution

DavidHourani
Super Champion
‎06-04-2019 01:20 AM

Hi @atulitm,

Have you tried something like this, run this over any period and it will compare the latest and earliest value of your BW_Limit field for devices and return those that are different :

index=yourIndex sourcetype=yourSourcetype 
| stats earliest(BW_Limit) as old_ BW_Limit, latest(BW_Limit) as new_BW_Limit by device
| where old_ BW_Limit!=new_BW_Limit

Cheers,
David

0 Karma
Reply
Solved! Jump to solution

atulitm
Path Finder
‎06-04-2019 01:50 AM

Thanks David , It works . is there any way i can look for last log by device instead of earliest which will show the oldest log in time frame mentioned instead . Like if i have 5 log entries for same device in last 7 days and i want to check only last log and latest log by Device for difference in BW_Limit . is that possible to do .

0 Karma
Reply
Solved! Jump to solution

atulitm
Path Finder
‎06-04-2019 02:07 AM

Thanks David . I will try to create one .

0 Karma
Reply
Solved! Jump to solution

DavidHourani
Super Champion
‎06-04-2019 01:59 AM

Yes sir you can ! Have a look here : https://answers.splunk.com/answers/150909/how-can-i-get-the-previous-value-of-the-field-that-im-comp...
You'll have to run streamstatsto make a new field called previous value before you run the stats command in the answer here.

Let me know if you're able to it and please upvote and accept the answer if it was helpful 🙂

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...