Splunk Search

How to build a search that compares the results of 2 dates and shows delta?

smcdonald20
Path Finder

I have the following data

Date          Server       Value
1st Jan       abc          10
1st Jan       xyz          12
2nd Jan       abc          15
2nd Jan       xyz          20

I want to be able to find the change in value, per server over time.

I would like the results to be similar to:

Server    ChangeSinceYesterday
abc       5
xyz       8

Can anyone help me to do this in Splunk?

0 Karma
1 Solution

sundareshr
Legend

Try this

.... | reverse | streamstats window-1 current=f earliest(value) as p_val by server | eval chg=p_val-value | table date server chg

View solution in original post

0 Karma

sundareshr
Legend

Try this

.... | reverse | streamstats window-1 current=f earliest(value) as p_val by server | eval chg=p_val-value | table date server chg
0 Karma

smcdonald20
Path Finder

Sundeshr this is now working! Thank you!

0 Karma

smcdonald20
Path Finder

Thank you!
I think this may work, but might be missing something in the syntax...

Full search below:

index=ad source=otl_aduserscan 
| search samAccountName=smcdonald
| table displayName, samAccountName,  mailboxGB  
| sort by displayName
| reverse | streamstats window=1 current=f earliest(mailboxGB) as p_val by samAccountName | eval chg=(p_val- mailboxGB) | table samAccountName, mailboxGB, chg
0 Karma

sundareshr
Legend

What's the error you're getting?

0 Karma
Get Updates on the Splunk Community!

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...