Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Comparing current hour to previous day's hour.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Comparing current hour to previous day's hour.
index=XYZ trunkgroup| stats count(_raw) as Total_Calls, count(eval(Sip_Resp=="200")) as Completed_Calls by OTG
| search Total_Calls>500 | eval Completion_Percentage= (Completed_Calls/Total_Calls * 100)|eval Completion_Percentage=round(Completion_Percentage,2)
Hello,
I have this simple query that provides total amount of calls, how many were completed, and the completion percentage.
I would like to add to this query where I compare it to the previous day at the same hour.
I would like this query to be dynamic where it is always comparing the previous day's hour.
What can I append to this search query that will show me the data yesterday at the same hour?
Any help would be greatly appreciated!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try this:
this evaluates the count on the delivered _audit index for today's current hour vs yesterday's current hour.If this is what you need, merely replace your index etc. the stuff from timechart onwards remains the same
index="_audit" |timechart span=1h count | timewrap 1day|eval flg=strftime(now(),"%H")|eval mrkr=strftime(_time,"%H")|where mrkr=flg
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi @philgopaul - Did this resolve your issue?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, this is not helpful. Cannot get query to work with that suggestion
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I cannot get that query to work w/ timechart command. I prefer to use stats command.
I am still not understanding how to compare data to previous hour.
I have this query which is similar to original post.
index=XYZ |stats count(_raw) as Total,
count(eval(txnStatus=="ok")) as
Success,
count(eval(txnStatus=="cc_fail")) as
"Failed" |eval Comp_Percentage=
(Success/Total * 100)|eval
Comp_Percentage=round(Comp_Percentage,2)
How do I add a count to that query where I am looking at previous day at the same hour?
Thanks for any guidance you can provide.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
