Splunk Search

How i can display the data sum of 2 fields like Last month same date data (example: 24 june and 24 may)

Anud
Path Finder

How i can display the data sum of 2 fields like Last month same date data (example: 24 june and 24 may)
I have tried the below query i was getting the data but how i can show in a manner.

index=gc source=apps
| eval AMT=if(IND="DR", BASE_AMT*-1, BASE_AMT)
| eval GLBL1=if(FCR="DR", GLBL*-1, GLBL)
| eval DATE="20".substr(REC_DATE,1,2).substr(REC_DATE,3,2).substr(REC_DATE,5,2)
| eval current_pdate_4=strftime(relative_time(now(), "-30d@d"),"%Y%m%d")
| where DATE = current_pdate_4
| stats sum(AMT) as w4AMT, sum(GLBL1) as w4FEE_AMT by DATE id

|append
[search index=gc source=apps
| eval AMT=if(IND="DR", BASE_AMT*-1, BASE_AMT)
| eval GLBL1=if(FCR="DR", GLBL*-1, GLBL)
| eval DATE="20".substr(REC_DATE,1,2).substr(REC_DATE,3,2).substr(REC_DATE,5,2)
| eval current_pdate_3=strftime(relative_time(now(), "-@d"),"%Y%m%d")
| where DATE = current_pdate_3
| stats sum(AMT) as w3AMT, sum(GLBL1) as w3FEE_AMT by DATE id
| table DATE, id  w3AMT, w4AMT, w4FEE_AMT w3FEE_AMT
| rename Date as  currentDATE, w3AMT as currentdata, w3FEE_AMT as currentamt w4AMT as lastmonthdate w4FEE_AMT as lastmonthdateamt



DATE, id currentdata lastmonthdate currentamt lastmonthdateamt
20240723 2 2323 2123 23 24
20240723 3 2423 2123 23 24
20240723 4 2223 2123 23 24
20240723 5 2323 2123 23 24
20240723 6 2329 2123 23 24
20240723 7 2323 2123 23 24
Labels (2)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

index=gc source=apps
| eval AMT=if(IND="DR", BASE_AMT*-1, BASE_AMT)
| eval GLBL1=if(FCR="DR", GLBL*-1, GLBL)
| eval DATE="20".REC_DATE
| where DATE = strftime(relative_time(now(), "-30d@d"),"%Y%m%d") OR DATE=strftime(relative_time(now(), "@d"),"%Y%m%d")
| stats sum(AMT) as w3AMT, sum(GLBL1) as w3FEE_AMT by DATE id
| eval w4AMT=if(DATE=strftime(relative_time(now(), "@d"),"%Y%m%d"),null(),w3AMT)
| eval w3AMT=if(DATE=strftime(relative_time(now(), "@d"),"%Y%m%d"),w3AMT,null())
| eval w4FEE_AMT=if(DATE=strftime(relative_time(now(), "@d"),"%Y%m%d"),null(),w3FEE_AMT)
| eval w3FEE_AMT=if(DATE=strftime(relative_time(now(), "@d"),"%Y%m%d"),w3FEE_AMT,null())
| eval DATE=strftime(relative_time(now(), "@d"),"%Y%m%d")
| stats values(*) as * by DATE id

Anud
Path Finder

Its working !
Thank you for your quick response.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...