Splunk Search

How do I compare search results from two different time periods?

Explorer

Hi,

I'm looking to do something like this:

Take a search, with three fields, one being a count (ExceptionClass, Class (these two fields are extracted from the same single event), count(Class) during a 10minute time period, take that same search to get data from 20m to 10m ago, and then compare the differences between the two results. Now, where I'm having issues is figuring out which function to use; set diff, append, or whatever

Basically, here's a similar scenario:

In a 10m to now search, you pull up all your http events and count each one. So, let's say, your first search comes with the counts below:

http 500 - 30
http 401 - 20
http - 200 - 50
http 201 - 50

Then, you take that same search from the earliest being 20m ago and the latest 10 min ago and get the counts below:

http 401 - 5
http 200 - 5
http 201 - 5

I want a table that outputs like this:

http 401 - 25
http 200 - 55
http 201 - 55

In this case, the second search didn't produce any http 500 codes so I want that result dropped off from my final output while the others that did appear, had their counts added together.

A rough search I have so far is:

index=dynatrace-exceptions set diff [search index=dynatrace-exceptions App=EDPPS1 earliest=-10m latest=now | stats count(Message) by ExceptionClass, Message] [search index=dynatrace-exceptions App=EDPPS1 earliest=-20m latest=-10m | stats count(Message) by ExceptionClass, Message] | table count(Message) by ExceptionClass, Message

Not even sure Splunk can do this, so any direction would be great!

Ryan

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Give this a try

index=dynatrace-exceptions App=EDPPS1 earliest=-20m latest=now
| eval period=if(_time>=relative_time(now(),"-10m"),"current","previous")
| eval commonfield=ExceptionClass."##".Message
| chart count(Message) over commonfield by period
| eval difference=previous-current
| rex field=commonfield "(?<ExceptionClass>[^#]+)##(?<Message>.+)"
| table Exception Class Message difference current previous

View solution in original post

SplunkTrust
SplunkTrust

Give this a try

index=dynatrace-exceptions App=EDPPS1 earliest=-20m latest=now
| eval period=if(_time>=relative_time(now(),"-10m"),"current","previous")
| eval commonfield=ExceptionClass."##".Message
| chart count(Message) over commonfield by period
| eval difference=previous-current
| rex field=commonfield "(?<ExceptionClass>[^#]+)##(?<Message>.+)"
| table Exception Class Message difference current previous

View solution in original post

Motivator

Good one. Thanks.

0 Karma

Explorer

This worked! Never thought of doing it this way. Thank you!