Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I find the delta between sum of values for two days with below query?

rajapr15
Engager
‎01-31-2017 04:13 AM

index=_internal type=usage idx=wineventlog | bucket span=1d _time | stats sum(b) as sum by h,_time

The above query gives the sum for "b" values over a period of one day. If I run the query for time period of two days I get two sums for "h". Difference between these two sums need to be found.

Tags (1)
0 Karma
Reply

rajapr15
Engager
‎01-31-2017 06:10 AM

Thanks!

I found an alternative which worked for me-

index=_internal type=usage idx=wineventlog | chart sum(b) by h date_wday | eval diff=sunday-tuesday | eval diff=abs(diff) | sort -diff

0 Karma
Reply

rjthibod
Champion
‎01-31-2017 08:04 AM

the date_* fields are not considered authoritative from an accuracy standpoint, and your query will only work as long as you have queries less than one week (non-overlapping days of the week).

Reply

rjthibod
Champion
‎01-31-2017 05:41 AM

Look at the last answer in this post

https://answers.splunk.com/answers/47037/delta-then-sum-then-graph-from-multiple-hosts.html

index=_internal type=usage idx=wineventlog 
| bucket span=1d _time 
| stats sum(b) as b by h,_time
| streamstats current=t global=f window=2 latest(b) as curr earliest(b) as next by h
| eval delta=next-curr
| timechart span=1d sum(delta) as delta by h
Reply
Get Updates on the Splunk Community!

.conf25 Registration is OPEN!

Ready. Set. Splunk! Your favorite Splunk user event is back and better than ever. Get ready for more technical ...

Detecting Cross-Channel Fraud with Splunk

This article is the final installment in our three-part series exploring fraud detection techniques using ...

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...