How to compare current month count to a 3 months a...

msalghamdi · ‎06-11-2023

Hello Splunkers.

i need your help in creating a search that would count number of values for a field in a month and then compare it to a 3months average of the same results.

thanks

gcusello · ‎06-11-2023

Hi @msalghamdi,

only one question,: do you want to calculate the count for the current month or the last 30 days or the previous month?

because if the current month you have an incomplete count, I suppose that you want the last complete month count compared with the three months before count.

so please try this:

index=your_index earliest=-mon@mon latest=@mon
| stats count AS "Current month"
| append [ search 
   index=your_index earliest=-4mon@mon latest=-3mon@mon
   | stats count AS "Three months ago" ]
| table "Current month" "Three months ago"
| eval Diff="Three months ago"-"Current month"

Ciao.

Giuseppe

michael3 · ‎05-28-2024

Thank you! This was exactly what I was looking for. Much easier than trying to use eventstats

How to compare current month count to a 3 months average?

stats

table

timechart

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR

Are you a member of the Splunk Community?