Splunk Search

How do I find the delta between sum of values for two days with below query?

rajapr15
Engager

index=_internal type=usage idx=wineventlog | bucket span=1d _time | stats sum(b) as sum by h,_time

The above query gives the sum for "b" values over a period of one day. If I run the query for time period of two days I get two sums for "h". Difference between these two sums need to be found.

Tags (1)
0 Karma

rajapr15
Engager

Thanks!

I found an alternative which worked for me-

index=_internal type=usage idx=wineventlog | chart sum(b) by h date_wday | eval diff=sunday-tuesday | eval diff=abs(diff) | sort -diff

0 Karma

rjthibod
Champion

the date_* fields are not considered authoritative from an accuracy standpoint, and your query will only work as long as you have queries less than one week (non-overlapping days of the week).

rjthibod
Champion

Look at the last answer in this post

https://answers.splunk.com/answers/47037/delta-then-sum-then-graph-from-multiple-hosts.html

index=_internal type=usage idx=wineventlog 
| bucket span=1d _time 
| stats sum(b) as b by h,_time
| streamstats current=t global=f window=2 latest(b) as curr earliest(b) as next by h
| eval delta=next-curr
| timechart span=1d sum(delta) as delta by h
Get Updates on the Splunk Community!

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more with ITSI’s ...

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more! Faster Time to ValueManaging and ...

New Release | Splunk Enterprise 9.3

Admins and Analyst can benefit from:  Seamlessly route data to your local file system to save on storage ...

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...