Re: compare current month count to a 3months avera...

msalghamdi · ‎06-11-2023

Hello Splunkers.

i need your help in creating a search that would count number of values for a field in a month and then compare it to a 3months average of the same results.

thanks

gcusello · ‎06-11-2023

Hi @msalghamdi,

only one question,: do you want to calculate the count for the current month or the last 30 days or the previous month?

because if the current month you have an incomplete count, I suppose that you want the last complete month count compared with the three months before count.

so please try this:

index=your_index earliest=-mon@mon latest=@mon
| stats count AS "Current month"
| append [ search 
   index=your_index earliest=-4mon@mon latest=-3mon@mon
   | stats count AS "Three months ago" ]
| table "Current month" "Three months ago"
| eval Diff="Three months ago"-"Current month"

Ciao.

Giuseppe

michael3 · ‎05-28-2024

Thank you! This was exactly what I was looking for. Much easier than trying to use eventstats

How to compare current month count to a 3 months average?

stats

table

timechart

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Join the Conversation