Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do I write a search to compare data by period ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
category area period date count
cats A1 20161 15-01-2016 120500
cats A1 20162 30-01-2016 120500
cats A1 20163 30-01-2016 120500
cats B1 20163 30-01-2016 120500
cats C1 20163 30-01-2016 120500
dogs B1 20161 15-01-2016 100000
dogs A1 20162 30-01-2016 230000
dogs C1 20163 30-01-2016 62000
dogs B1 20164 15-02-2016 1100
dogs A1 20164 15-02-2016 2560
dogs B1 20165 28-02-2016 2560
dogs C1 20165 28-02-2016 2560
I have data in the above format. How do I make comparison between current period and previous period in real-time across category, area, and count? For example for Jan 2016, there are 3 executions (in 3 periods) 15-01-2016(20161), 30-01-2016(20162) and another one on 30-01-2016(20163). Similarly for Feb'16 we have 2 periods 20164 and 20165. A month would usually have 2-3 executions and each time the period counter is increased by 1.
How can I make comparison in real time between my current period and previous period (say for example 20165 and 20164)?
Help here would be really appreciated!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like this
your current search giving fields category area period date count in above format | appendpipe [stats count by period | sort 0 -period | streamstats count as sno by period | accum sno ]| sort 0 -period | eventstats values(sno) as sno by period | where (sno=1 OR sno=2) AND isnotnull(category) | eval period=if(sno=1,"current","previous")| eval temp=category."##".area | chart sum(count) as count over temp by period | rex field=temp "(?<category>.+)##(?<area>.+)" | fields - temp| table category area * | fillnull value=0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What sort of comparison do you want to make? Increase/decrease in count? What do you mean by "real-time" when all of this is historical data?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi anshumandas,
Since your not providing information about what you want to compare, try this search:
Your base search here to give the example output from your question
| streamstats current=f last(count) AS last_count last(category) AS last_category by period
| table period category count last_count
| where last_count!=count
This will give you a table were the count is different per category by period.
Adopt to your needs and hope this helps ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like this
your current search giving fields category area period date count in above format | appendpipe [stats count by period | sort 0 -period | streamstats count as sno by period | accum sno ]| sort 0 -period | eventstats values(sno) as sno by period | where (sno=1 OR sno=2) AND isnotnull(category) | eval period=if(sno=1,"current","previous")| eval temp=category."##".area | chart sum(count) as count over temp by period | rex field=temp "(?<category>.+)##(?<area>.+)" | fields - temp| table category area * | fillnull value=0
Tech Talk Recap | Mastering Threat Hunting
Observability for AI Applications: Troubleshooting Latency
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
