Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Comparing current hour to previous day's hour.

philgopaul
New Member
‎09-09-2019 09:20 AM

index=XYZ trunkgroup| stats count(_raw) as Total_Calls, count(eval(Sip_Resp=="200")) as Completed_Calls by OTG
| search Total_Calls>500 | eval Completion_Percentage= (Completed_Calls/Total_Calls * 100)|eval Completion_Percentage=round(Completion_Percentage,2)

Hello,

I have this simple query that provides total amount of calls, how many were completed, and the completion percentage.

I would like to add to this query where I compare it to the previous day at the same hour.

I would like this query to be dynamic where it is always comparing the previous day's hour.

What can I append to this search query that will show me the data yesterday at the same hour?

Any help would be greatly appreciated!

Tags (1)
0 Karma
Reply

Sukisen1981
Champion
‎09-09-2019 11:15 AM

try this:
this evaluates the count on the delivered _audit index for today's current hour vs yesterday's current hour.If this is what you need, merely replace your index etc. the stuff from timechart onwards remains the same

index="_audit" |timechart span=1h count | timewrap 1day|eval flg=strftime(now(),"%H")|eval mrkr=strftime(_time,"%H")|where mrkr=flg
0 Karma
Reply

Sukisen1981
Champion
‎09-29-2019 12:26 AM

hi @philgopaul - Did this resolve your issue?

0 Karma
Reply

philgopaul
New Member
‎11-08-2019 07:48 AM

No, this is not helpful. Cannot get query to work with that suggestion

0 Karma
Reply

philgopaul
New Member
‎11-08-2019 08:03 AM

I cannot get that query to work w/ timechart command. I prefer to use stats command.

I am still not understanding how to compare data to previous hour.

I have this query which is similar to original post.

index=XYZ |stats count(_raw) as Total,
count(eval(txnStatus=="ok")) as
Success,
count(eval(txnStatus=="cc_fail")) as
"Failed" |eval Comp_Percentage=
(Success/Total * 100)|eval
Comp_Percentage=round(Comp_Percentage,2)

How do I add a count to that query where I am looking at previous day at the same hour?

Thanks for any guidance you can provide.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...