Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How i can display the data sum of 2 fields like Last month same date data (example: 24 june and 24 may)

Anud
Path Finder
‎07-24-2024 03:40 AM

How i can display the data sum of 2 fields like Last month same date data (example: 24 june and 24 may)
I have tried the below query i was getting the data but how i can show in a manner.

index=gc source=apps
| eval AMT=if(IND="DR", BASE_AMT*-1, BASE_AMT)
| eval GLBL1=if(FCR="DR", GLBL*-1, GLBL)
| eval DATE="20".substr(REC_DATE,1,2).substr(REC_DATE,3,2).substr(REC_DATE,5,2)
| eval current_pdate_4=strftime(relative_time(now(), "-30d@d"),"%Y%m%d")
| where DATE = current_pdate_4
| stats sum(AMT) as w4AMT, sum(GLBL1) as w4FEE_AMT by DATE id

|append
[search index=gc source=apps
| eval AMT=if(IND="DR", BASE_AMT*-1, BASE_AMT)
| eval GLBL1=if(FCR="DR", GLBL*-1, GLBL)
| eval DATE="20".substr(REC_DATE,1,2).substr(REC_DATE,3,2).substr(REC_DATE,5,2)
| eval current_pdate_3=strftime(relative_time(now(), "-@d"),"%Y%m%d")
| where DATE = current_pdate_3
| stats sum(AMT) as w3AMT, sum(GLBL1) as w3FEE_AMT by DATE id
| table DATE, id  w3AMT, w4AMT, w4FEE_AMT w3FEE_AMT
| rename Date as  currentDATE, w3AMT as currentdata, w3FEE_AMT as currentamt w4AMT as lastmonthdate w4FEE_AMT as lastmonthdateamt



DATE, id currentdata lastmonthdate currentamt lastmonthdateamt
20240723 2 2323 2123 23 24
20240723 3 2423 2123 23 24
20240723 4 2223 2123 23 24
20240723 5 2323 2123 23 24
20240723 6 2329 2123 23 24
20240723 7 2323 2123 23 24
Labels (2)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-24-2024 06:34 AM

Try something like this

index=gc source=apps
| eval AMT=if(IND="DR", BASE_AMT*-1, BASE_AMT)
| eval GLBL1=if(FCR="DR", GLBL*-1, GLBL)
| eval DATE="20".REC_DATE
| where DATE = strftime(relative_time(now(), "-30d@d"),"%Y%m%d") OR DATE=strftime(relative_time(now(), "@d"),"%Y%m%d")
| stats sum(AMT) as w3AMT, sum(GLBL1) as w3FEE_AMT by DATE id
| eval w4AMT=if(DATE=strftime(relative_time(now(), "@d"),"%Y%m%d"),null(),w3AMT)
| eval w3AMT=if(DATE=strftime(relative_time(now(), "@d"),"%Y%m%d"),w3AMT,null())
| eval w4FEE_AMT=if(DATE=strftime(relative_time(now(), "@d"),"%Y%m%d"),null(),w3FEE_AMT)
| eval w3FEE_AMT=if(DATE=strftime(relative_time(now(), "@d"),"%Y%m%d"),w3FEE_AMT,null())
| eval DATE=strftime(relative_time(now(), "@d"),"%Y%m%d")
| stats values(*) as * by DATE id
Reply

Anud
Path Finder
‎07-24-2024 11:24 AM

Its working !
Thank you for your quick response.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...