Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I compare distinct counts of a given field between two different time ranges within the same Splunk search?

niravshahcorero
New Member
‎04-13-2016 02:23 PM

I have a CSV file that a list of customers and their orders. The format is as follows:

OrderDate, OrderNumber, Customer, OrderAmount

Same order number can be on multiple lines because a customer can order multiple items under the same order number.
Now, what I want to do is compare the order volume by customer between two years.
Example output:

Customer, 2014 Orders, 2015 Orders, Difference
CustA, 100, 60, -40
CustB, 70, 80, 10
...

I am trying to identify which customers have had a significant decrease in orders and which ones have had a significant increase year over year. I've tried the following but it gives me no search results:

sourcetype="SALESCSV" [search earliest="1/1/2014:00:00:00" latest="12/31/2014:23:59:59" Geography=EMEA search_name="2014 Orders"] [search earliest="1/1/2015:00:00:00" latest="12/31/2015:23:59:59" Geography=EMEA search_name="2015 Orders"] | stats dc(OrderNumber) by search_name
0 Karma
Reply

somesoni2
Revered Legend
‎04-13-2016 02:43 PM

Try like this

sourcetype="SALESCSV" earliest="1/1/2014:00:00:00" latest="1/1/2016:00:00:00" Geography=EMEA 
| eval Period=if(_time>=strptime("1/1/2015","%m/%d/%Y"),"2015_Orders","2014_Orders") | chart dc(OrderNumber) over Customer by Period | eval Difference='2014_Orders'-'2015_Orders'
0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...