Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do you compare the same field in two different time periods?

omprakash9998
Path Finder
‎02-14-2019 11:07 AM

We have events from several hosts. We want to get the difference in the value of the field between two different times by each host and process. And also compare those two Values and display only those values which are higher than those of the previous time period.

  index=perfmon eventtype="perfmon_windows" (Host="*") Host="*" object=Process  counter="Private_Bytes"  earliest=-15m@m latest=-5m@m|stats avg(Value) AS Val1 by host process_name | append [search index=perfmon eventtype="perfmon_windows" (Host="*") Host="*" object=Process  counter="Private_Bytes"  earliest=-5m@m latest=@m]

I have tried this in some other ways too, but I am not able to display the Value for the current time period.

0 Karma
Reply

chrisyounger
SplunkTrust
SplunkTrust
‎02-14-2019 11:13 AM

Hi @omprakash9998

Give this a try

index=perfmon eventtype="perfmon_windows" (Host="*") Host="*" object=Process counter="Private_Bytes" earliest=-15m@m latest=-5m@m
| stats avg(Value) AS older by host process_name 
| append [search index=perfmon eventtype="perfmon_windows" (Host="*") Host="*" object=Process counter="Private_Bytes" earliest=-5m@m latest=@m | stats avg(Value) AS newer by host process_name ]
| stats latest(older) as older latest(newer) as newer by host process_name
| where newer > older

A better way would be to use something like bins to bucket your samples into groups, but the above should suffice

Reply

omprakash9998
Path Finder
‎02-14-2019 11:23 AM

Hi @chrisyoungerjds

The search returns "No results found". But there is a definite difference if the Value for the two time periods. i ran them individually and checked.

Thanks,
om

0 Karma
Reply

chrisyounger
SplunkTrust
SplunkTrust
‎02-14-2019 11:25 AM

If you cut the search down to this, does it work?

 index=perfmon eventtype="perfmon_windows" (Host="*") Host="*" object=Process counter="Private_Bytes" earliest=-15m@m latest=-5m@m
 | stats avg(Value) AS older by host process_name 
 | append [search index=perfmon eventtype="perfmon_windows" (Host="*") Host="*" object=Process counter="Private_Bytes" earliest=-5m@m latest=@m | stats avg(Value) AS newer by host process_name ]
 | stats latest(older) as older latest(newer) as newer by host process_name
0 Karma
Reply

omprakash9998
Path Finder
‎02-14-2019 11:27 AM

Now, it is populating the table with the fields host, process_name, older and newer. But the Older and newer columns are empty.

0 Karma
Reply

omprakash9998
Path Finder
‎02-14-2019 11:57 AM 
index=perfmon eventtype="perfmon_windows" (Host="*") Host="*" object=Process counter="Private_Bytes" earliest=-15m@m latest=-5m@m
  | stats avg(Value) AS older by host process_name 
  | join [search index=perfmon eventtype="perfmon_windows" (Host="*") Host="*" object=Process counter="Private_Bytes" earliest=-5m@m latest=@m | stats avg(Value) AS newer by host process_name ]
  | table host, process_name, older, newer

i used join in the place of append and used the table command at the end instead of stats and it works for now.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...