Solved: How do I write a search to compare data by period ...

anshumandas · ‎03-29-2016

category    area    period  date          count
cats        A1    20161  15-01-2016 120500
cats        A1    20162     30-01-2016  120500
cats        A1    20163  30-01-2016 120500
cats        B1    20163  30-01-2016 120500
cats        C1    20163  30-01-2016 120500
dogs        B1    20161  15-01-2016 100000
dogs        A1    20162  30-01-2016 230000
dogs        C1    20163  30-01-2016 62000
dogs        B1    20164  15-02-2016 1100
dogs        A1    20164  15-02-2016 2560
dogs        B1    20165  28-02-2016 2560
dogs        C1    20165  28-02-2016 2560

I have data in the above format. How do I make comparison between current period and previous period in real-time across category, area, and count? For example for Jan 2016, there are 3 executions (in 3 periods) 15-01-2016(20161), 30-01-2016(20162) and another one on 30-01-2016(20163). Similarly for Feb'16 we have 2 periods 20164 and 20165. A month would usually have 2-3 executions and each time the period counter is increased by 1.

How can I make comparison in real time between my current period and previous period (say for example 20165 and 20164)?

Help here would be really appreciated!!

somesoni2 · ‎03-29-2016

Try something like this

your current search giving fields category area period date count in above format  | appendpipe [stats count by period | sort 0 -period | streamstats count as sno by period | accum sno ]| sort 0 -period | eventstats values(sno) as sno by period | where (sno=1 OR sno=2) AND isnotnull(category) | eval period=if(sno=1,"current","previous")| eval temp=category."##".area | chart sum(count) as count over temp by period | rex field=temp "(?<category>.+)##(?<area>.+)" | fields - temp| table category area * | fillnull value=0

View solution in original post

lguinn2 · ‎03-29-2016

What sort of comparison do you want to make? Increase/decrease in count? What do you mean by "real-time" when all of this is historical data?

MuS · ‎03-29-2016

Hi anshumandas,

Since your not providing information about what you want to compare, try this search:

Your base search here to give the example output from your question 
| streamstats current=f last(count) AS last_count last(category) AS last_category by period 
| table period category count last_count 
| where last_count!=count

This will give you a table were the count is different per category by period.

Adopt to your needs and hope this helps ...

cheers, MuS

somesoni2 · ‎03-29-2016

Try something like this

your current search giving fields category area period date count in above format  | appendpipe [stats count by period | sort 0 -period | streamstats count as sno by period | accum sno ]| sort 0 -period | eventstats values(sno) as sno by period | where (sno=1 OR sno=2) AND isnotnull(category) | eval period=if(sno=1,"current","previous")| eval temp=category."##".area | chart sum(count) as count over temp by period | rex field=temp "(?<category>.+)##(?<area>.+)" | fields - temp| table category area * | fillnull value=0

How do I write a search to compare data by period using my sample data?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk