Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do you compare the same field in two different time periods?

omprakash9998
Path Finder
‎02-14-2019 11:07 AM

We have events from several hosts. We want to get the difference in the value of the field between two different times by each host and process. And also compare those two Values and display only those values which are higher than those of the previous time period.

  index=perfmon eventtype="perfmon_windows" (Host="*") Host="*" object=Process  counter="Private_Bytes"  earliest=-15m@m latest=-5m@m|stats avg(Value) AS Val1 by host process_name | append [search index=perfmon eventtype="perfmon_windows" (Host="*") Host="*" object=Process  counter="Private_Bytes"  earliest=-5m@m latest=@m]

I have tried this in some other ways too, but I am not able to display the Value for the current time period.

0 Karma
Reply

chrisyounger
SplunkTrust
SplunkTrust
‎02-14-2019 11:13 AM

Hi @omprakash9998

Give this a try

index=perfmon eventtype="perfmon_windows" (Host="*") Host="*" object=Process counter="Private_Bytes" earliest=-15m@m latest=-5m@m
| stats avg(Value) AS older by host process_name 
| append [search index=perfmon eventtype="perfmon_windows" (Host="*") Host="*" object=Process counter="Private_Bytes" earliest=-5m@m latest=@m | stats avg(Value) AS newer by host process_name ]
| stats latest(older) as older latest(newer) as newer by host process_name
| where newer > older

A better way would be to use something like bins to bucket your samples into groups, but the above should suffice

Reply

omprakash9998
Path Finder
‎02-14-2019 11:23 AM

Hi @chrisyoungerjds

The search returns "No results found". But there is a definite difference if the Value for the two time periods. i ran them individually and checked.

Thanks,
om

0 Karma
Reply

chrisyounger
SplunkTrust
SplunkTrust
‎02-14-2019 11:25 AM

If you cut the search down to this, does it work?

 index=perfmon eventtype="perfmon_windows" (Host="*") Host="*" object=Process counter="Private_Bytes" earliest=-15m@m latest=-5m@m
 | stats avg(Value) AS older by host process_name 
 | append [search index=perfmon eventtype="perfmon_windows" (Host="*") Host="*" object=Process counter="Private_Bytes" earliest=-5m@m latest=@m | stats avg(Value) AS newer by host process_name ]
 | stats latest(older) as older latest(newer) as newer by host process_name
0 Karma
Reply

omprakash9998
Path Finder
‎02-14-2019 11:27 AM

Now, it is populating the table with the fields host, process_name, older and newer. But the Older and newer columns are empty.

0 Karma
Reply

omprakash9998
Path Finder
‎02-14-2019 11:57 AM 
index=perfmon eventtype="perfmon_windows" (Host="*") Host="*" object=Process counter="Private_Bytes" earliest=-15m@m latest=-5m@m
  | stats avg(Value) AS older by host process_name 
  | join [search index=perfmon eventtype="perfmon_windows" (Host="*") Host="*" object=Process counter="Private_Bytes" earliest=-5m@m latest=@m | stats avg(Value) AS newer by host process_name ]
  | table host, process_name, older, newer

i used join in the place of append and used the table command at the end instead of stats and it works for now.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...