Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How i can display the data sum of 2 fields like Last month same date data (example: 24 june and 24 may)

Anud
Path Finder
‎07-24-2024 03:40 AM

How i can display the data sum of 2 fields like Last month same date data (example: 24 june and 24 may)
I have tried the below query i was getting the data but how i can show in a manner.

index=gc source=apps
| eval AMT=if(IND="DR", BASE_AMT*-1, BASE_AMT)
| eval GLBL1=if(FCR="DR", GLBL*-1, GLBL)
| eval DATE="20".substr(REC_DATE,1,2).substr(REC_DATE,3,2).substr(REC_DATE,5,2)
| eval current_pdate_4=strftime(relative_time(now(), "-30d@d"),"%Y%m%d")
| where DATE = current_pdate_4
| stats sum(AMT) as w4AMT, sum(GLBL1) as w4FEE_AMT by DATE id

|append
[search index=gc source=apps
| eval AMT=if(IND="DR", BASE_AMT*-1, BASE_AMT)
| eval GLBL1=if(FCR="DR", GLBL*-1, GLBL)
| eval DATE="20".substr(REC_DATE,1,2).substr(REC_DATE,3,2).substr(REC_DATE,5,2)
| eval current_pdate_3=strftime(relative_time(now(), "-@d"),"%Y%m%d")
| where DATE = current_pdate_3
| stats sum(AMT) as w3AMT, sum(GLBL1) as w3FEE_AMT by DATE id
| table DATE, id  w3AMT, w4AMT, w4FEE_AMT w3FEE_AMT
| rename Date as  currentDATE, w3AMT as currentdata, w3FEE_AMT as currentamt w4AMT as lastmonthdate w4FEE_AMT as lastmonthdateamt



DATE, id currentdata lastmonthdate currentamt lastmonthdateamt
20240723 2 2323 2123 23 24
20240723 3 2423 2123 23 24
20240723 4 2223 2123 23 24
20240723 5 2323 2123 23 24
20240723 6 2329 2123 23 24
20240723 7 2323 2123 23 24
Labels (2)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-24-2024 06:34 AM

Try something like this

index=gc source=apps
| eval AMT=if(IND="DR", BASE_AMT*-1, BASE_AMT)
| eval GLBL1=if(FCR="DR", GLBL*-1, GLBL)
| eval DATE="20".REC_DATE
| where DATE = strftime(relative_time(now(), "-30d@d"),"%Y%m%d") OR DATE=strftime(relative_time(now(), "@d"),"%Y%m%d")
| stats sum(AMT) as w3AMT, sum(GLBL1) as w3FEE_AMT by DATE id
| eval w4AMT=if(DATE=strftime(relative_time(now(), "@d"),"%Y%m%d"),null(),w3AMT)
| eval w3AMT=if(DATE=strftime(relative_time(now(), "@d"),"%Y%m%d"),w3AMT,null())
| eval w4FEE_AMT=if(DATE=strftime(relative_time(now(), "@d"),"%Y%m%d"),null(),w3FEE_AMT)
| eval w3FEE_AMT=if(DATE=strftime(relative_time(now(), "@d"),"%Y%m%d"),w3FEE_AMT,null())
| eval DATE=strftime(relative_time(now(), "@d"),"%Y%m%d")
| stats values(*) as * by DATE id
Reply

Anud
Path Finder
‎07-24-2024 11:24 AM

Its working !
Thank you for your quick response.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...