Splunk Search

How to build a search that compares the results of 2 dates and shows delta?

Path Finder

I have the following data

Date          Server       Value
1st Jan       abc          10
1st Jan       xyz          12
2nd Jan       abc          15
2nd Jan       xyz          20

I want to be able to find the change in value, per server over time.

I would like the results to be similar to:

Server    ChangeSinceYesterday
abc       5
xyz       8

Can anyone help me to do this in Splunk?

0 Karma
1 Solution

Legend

Try this

.... | reverse | streamstats window-1 current=f earliest(value) as p_val by server | eval chg=p_val-value | table date server chg

View solution in original post

0 Karma

Legend

Try this

.... | reverse | streamstats window-1 current=f earliest(value) as p_val by server | eval chg=p_val-value | table date server chg

View solution in original post

0 Karma

Path Finder

Sundeshr this is now working! Thank you!

0 Karma

Path Finder

Thank you!
I think this may work, but might be missing something in the syntax...

Full search below:

index=ad source=otl_aduserscan 
| search samAccountName=smcdonald
| table displayName, samAccountName,  mailboxGB  
| sort by displayName
| reverse | streamstats window=1 current=f earliest(mailboxGB) as p_val by samAccountName | eval chg=(p_val- mailboxGB) | table samAccountName, mailboxGB, chg
0 Karma

Legend

What's the error you're getting?

0 Karma