Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Comparing current hour to previous day's hour.

philgopaul
New Member
‎09-09-2019 09:20 AM

index=XYZ trunkgroup| stats count(_raw) as Total_Calls, count(eval(Sip_Resp=="200")) as Completed_Calls by OTG
| search Total_Calls>500 | eval Completion_Percentage= (Completed_Calls/Total_Calls * 100)|eval Completion_Percentage=round(Completion_Percentage,2)

Hello,

I have this simple query that provides total amount of calls, how many were completed, and the completion percentage.

I would like to add to this query where I compare it to the previous day at the same hour.

I would like this query to be dynamic where it is always comparing the previous day's hour.

What can I append to this search query that will show me the data yesterday at the same hour?

Any help would be greatly appreciated!

Tags (1)
0 Karma
Reply

Sukisen1981
Champion
‎09-09-2019 11:15 AM

try this:
this evaluates the count on the delivered _audit index for today's current hour vs yesterday's current hour.If this is what you need, merely replace your index etc. the stuff from timechart onwards remains the same

index="_audit" |timechart span=1h count | timewrap 1day|eval flg=strftime(now(),"%H")|eval mrkr=strftime(_time,"%H")|where mrkr=flg
0 Karma
Reply

Sukisen1981
Champion
‎09-29-2019 12:26 AM

hi @philgopaul - Did this resolve your issue?

0 Karma
Reply

philgopaul
New Member
‎11-08-2019 07:48 AM

No, this is not helpful. Cannot get query to work with that suggestion

0 Karma
Reply

philgopaul
New Member
‎11-08-2019 08:03 AM

I cannot get that query to work w/ timechart command. I prefer to use stats command.

I am still not understanding how to compare data to previous hour.

I have this query which is similar to original post.

index=XYZ |stats count(_raw) as Total,
count(eval(txnStatus=="ok")) as
Success,
count(eval(txnStatus=="cc_fail")) as
"Failed" |eval Comp_Percentage=
(Success/Total * 100)|eval
Comp_Percentage=round(Comp_Percentage,2)

How do I add a count to that query where I am looking at previous day at the same hour?

Thanks for any guidance you can provide.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...