Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Comparing sum results between several days

KaitoKozo
Explorer
‎01-26-2021 07:28 PM

I am trying to average the sum of power consumption readings between 2 days and compare that sum to a 3rd day. If the 3rd day’s total power consumption is 20% higher than the average of the previous 2 days, I would like to flag the day as having more power consumption than usual.

The main issue I have is in trying to do this comparison as I’m unsure if it’s possible to store data as variables similar to programming and am unable to do the full search/compute/compare in 1 line, in particular trying to target “specific dates relative to current date”.

I am having difficulty trying to implement my logic process in splunk as I am still relatively new to the system and am unsure about the capabilities and syntax of this platform.

 

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎01-26-2021 08:19 PM

Hi @KaitoKozo,

Please try below;

 

index=power_consumption earliest=-3d@d
| timechart span=1d sum(consumption) as consumption
| streamstats window=2 current=f avg(consumption) as last2days
| tail 1
| where last2days>0 AND consumption>last2days*1.2

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎01-26-2021 08:19 PM

Hi @KaitoKozo,

Please try below;

 

index=power_consumption earliest=-3d@d
| timechart span=1d sum(consumption) as consumption
| streamstats window=2 current=f avg(consumption) as last2days
| tail 1
| where last2days>0 AND consumption>last2days*1.2

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply
Solved! Jump to solution

KaitoKozo
Explorer
‎01-27-2021 07:11 PM

Thanks! This has helped a bunch! However, I'm now getting an error that it has the '>' operator received different types in the where command. 

Through some testing, I have found out that the comparison of "Consumption > last2days*1.2" is the one causing issues, in particular "last2days*1.2". I am able to run the code if I change it to "Consumption > last2days", however the final result that appears is that Consumption is lesser than last2days.

KaitoKozo_0-1611803429908.png

This is the SS of the results that showed up when I added your modifications with "Consumption > last2days" instead.

Edit: I just digested and understood what the code does, so that 1 result was actually supposed to appear. Is there any way to create a chart that will plot those situations that only have days where the consumption is higher than the previous 2 days?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...