Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I write a search to compare data by period using my sample data?

anshumandas
New Member
‎03-29-2016 02:04 PM 
category    area    period  date          count
cats        A1    20161  15-01-2016 120500
cats        A1    20162     30-01-2016  120500
cats        A1    20163  30-01-2016 120500
cats        B1    20163  30-01-2016 120500
cats        C1    20163  30-01-2016 120500
dogs        B1    20161  15-01-2016 100000
dogs        A1    20162  30-01-2016 230000
dogs        C1    20163  30-01-2016 62000
dogs        B1    20164  15-02-2016 1100
dogs        A1    20164  15-02-2016 2560
dogs        B1    20165  28-02-2016 2560
dogs        C1    20165  28-02-2016 2560

I have data in the above format. How do I make comparison between current period and previous period in real-time across category, area, and count? For example for Jan 2016, there are 3 executions (in 3 periods) 15-01-2016(20161), 30-01-2016(20162) and another one on 30-01-2016(20163). Similarly for Feb'16 we have 2 periods 20164 and 20165. A month would usually have 2-3 executions and each time the period counter is increased by 1.

How can I make comparison in real time between my current period and previous period (say for example 20165 and 20164)?

Help here would be really appreciated!!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎03-29-2016 03:28 PM

Try something like this

your current search giving fields category area period date count in above format  | appendpipe [stats count by period | sort 0 -period | streamstats count as sno by period | accum sno ]| sort 0 -period | eventstats values(sno) as sno by period | where (sno=1 OR sno=2) AND isnotnull(category) | eval period=if(sno=1,"current","previous")| eval temp=category."##".area | chart sum(count) as count over temp by period | rex field=temp "(?<category>.+)##(?<area>.+)" | fields - temp| table category area * | fillnull value=0

View solution in original post

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎03-29-2016 03:41 PM

What sort of comparison do you want to make? Increase/decrease in count? What do you mean by "real-time" when all of this is historical data?

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎03-29-2016 03:39 PM

Hi anshumandas,

Since your not providing information about what you want to compare, try this search:

Your base search here to give the example output from your question 
| streamstats current=f last(count) AS last_count last(category) AS last_category by period 
| table period category count last_count 
| where last_count!=count

This will give you a table were the count is different per category by period.

Adopt to your needs and hope this helps ...

cheers, MuS

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎03-29-2016 03:28 PM

Try something like this

your current search giving fields category area period date count in above format  | appendpipe [stats count by period | sort 0 -period | streamstats count as sno by period | accum sno ]| sort 0 -period | eventstats values(sno) as sno by period | where (sno=1 OR sno=2) AND isnotnull(category) | eval period=if(sno=1,"current","previous")| eval temp=category."##".area | chart sum(count) as count over temp by period | rex field=temp "(?<category>.+)##(?<area>.+)" | fields - temp| table category area * | fillnull value=0
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...