Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Convert Dynamic Date into Variable.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is my search query
... earliest=-2d@d latest=now....| untable _time Metrics Value | eval Date=strftime(_time,"%m-%d-%y") | chart first(Value) over Metrics by Date limit=0...
Here I get the output field names in date format i.e. 09-30-15 10-01-15 . I want to convert this field name into variable so that I can pass the variable to use it for a comparison.
...| streamstats window=2 current=t global=f
values(09-30-15) as previous_day
values(10-01-15) as current_day
by Metrics
| eval values_changed= if(previous_day==current_day,"NO","YES")
I tried many ways but no luck.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like this
... earliest=-2d@d latest=now....| untable _time Metrics Value | eval Date=if(_time<relative_time(now(),"-1d@d"), "current_day","previous_day") | chart first(Value) over Metrics by Date limit=0 | eval values_changed= if(previous_day==current_day,"NO","YES")
Update
Try this
index=index1 sourcetype=sourcetype1 field1=Comp_prop host=host1 earliest=-1d@d latest=now | sort field1| table _time Ram_Size, Disk_Space| untable _time Metrics Value | eval Date=if(_time<relative_time(now(),"@d"), "previous_day","current_day") | chart first(Value) over Metrics by Date limit=0 | eval values_changed= if(previous_day==current_day,"NO","YES")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like this
... earliest=-2d@d latest=now....| untable _time Metrics Value | eval Date=if(_time<relative_time(now(),"-1d@d"), "current_day","previous_day") | chart first(Value) over Metrics by Date limit=0 | eval values_changed= if(previous_day==current_day,"NO","YES")
Update
Try this
index=index1 sourcetype=sourcetype1 field1=Comp_prop host=host1 earliest=-1d@d latest=now | sort field1| table _time Ram_Size, Disk_Space| untable _time Metrics Value | eval Date=if(_time<relative_time(now(),"@d"), "previous_day","current_day") | chart first(Value) over Metrics by Date limit=0 | eval values_changed= if(previous_day==current_day,"NO","YES")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unless you provide a full search or sample data, I do not thing anybody is going to be able to understand your situation.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
here is my search query..
* index=index1 sourcetype=sourcetype1 field1=Comp_prop host=host1 earliest=-1d@d latest=now | sort field1| table Ram_Size, Disk_Space| untable _time Metrics Value | eval Date=strftime(_time,"%m-%d-%y") | chart first(Value) over Metrics by Date limit=0 | eval values_changed= if(previous_day==current_day,"NO","YES") *
Here field1 contains System_Properties like Ram_size, Disk_Space etc. The Disk_Space must not change, if in case it changes I must get the value "YES" in values_changed field. My output must be like
Metrics 10-11-15 10-12-15 values_changed
Disk_Space 25000 20000 YES
Ram_Size 4 4 NO
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
