Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to compare search result for first 15 min and last 45 min?

salavilli0611
New Member
‎09-16-2019 12:00 PM

Following is the result we got

   Action_ Name Time    Count
ABC        1:15 AM      100
ABC        1:30 AM      200
ABC           1:45 AM       300
ABC             2:00        50

Now I want to compare the row2 (1:30 AM) Count : 200 with row4(2:00 AM) Count 50
I am new to splunk and I don't know how to do it

Following is the below splunk query:

index=... sourcetype= .... | bucket _time span=15m | stats count by Action_Name,_time
Tags (2)
0 Karma
Reply

jacobpevans
Motivator
‎09-16-2019 01:53 PM

Greetings @salavilli0611,

Please take a look at this run-anywhere search. If needed, you can add a by to the timechart, but your sample data does not indicate you do. When you plug this into your search, replace count with sum(count) (and remove the bin command since timechart does that for you)

index=_internal sourcetype=splunkd log_level=ERROR
| timechart span=15m count
| timewrap 15min

alt text

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
Preview file
38 KB
0 Karma
Reply

adonio
Ultra Champion
‎09-16-2019 01:24 PM

what will be the desired result / view / table look like?

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to Officially Supported Splunk ...