Solved: How to build a search that compares the results of...

smcdonald20 · ‎12-06-2016

I have the following data

Date          Server       Value
1st Jan       abc          10
1st Jan       xyz          12
2nd Jan       abc          15
2nd Jan       xyz          20

I want to be able to find the change in value, per server over time.

I would like the results to be similar to:

Server    ChangeSinceYesterday
abc       5
xyz       8

Can anyone help me to do this in Splunk?

sundareshr · ‎12-06-2016

Try this

.... | reverse | streamstats window-1 current=f earliest(value) as p_val by server | eval chg=p_val-value | table date server chg

View solution in original post

sundareshr · ‎12-06-2016

Try this

.... | reverse | streamstats window-1 current=f earliest(value) as p_val by server | eval chg=p_val-value | table date server chg

smcdonald20 · ‎12-08-2016

Sundeshr this is now working! Thank you!

smcdonald20 · ‎12-06-2016

Thank you!
I think this may work, but might be missing something in the syntax...

Full search below:

index=ad source=otl_aduserscan 
| search samAccountName=smcdonald
| table displayName, samAccountName,  mailboxGB  
| sort by displayName
| reverse | streamstats window=1 current=f earliest(mailboxGB) as p_val by samAccountName | eval chg=(p_val- mailboxGB) | table samAccountName, mailboxGB, chg

sundareshr · ‎12-08-2016

What's the error you're getting?

How to build a search that compares the results of 2 dates and shows delta?

Announcing the Expansion of the Splunk Academic Alliance Program

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Buttercup Games: Further Dashboarding Techniques (Part 7)