Splunk Search

How to compare the hourly count of events for a particular event and show what is the difference?

vrmandadi
Builder

I am trying to  create a search  which will give the difference in count for a field called "id" and show what are those different values for that field "id".

For instance if the current hour count for id is 900 and previous hour count is 830 ...I want to see the difference as 70 and show what are those 70 different id's .Currently I am able to get the difference using below search

index="netbox_test"
| rename "results{}.id" as "id"
| timechart span=1h count(id) as total
| delta total as difference

 

Thanks in Advance

Labels (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| bin _time span=1h
| stats dc(_time) as hours min(_time) as _time by id
| where hours = 1
| stats values(id) as ids by _time

Ids in the earlier hour are missing from the later hour and ids in the later hour are new to the later hour.

0 Karma

vrmandadi
Builder

Thank You ...Let me check this and get back to you

0 Karma

PickleRick
Ultra Champion

If the difference in id count between two hour-long periods is 70 doesn't mean that it's only 70 ids that differ. Example - in one hour you have ids of 1,2,3 in next - 4,5. The count difference is 1 but all the ids are different.

Either you're assuming too much or there are additional unmentioned conditions.

0 Karma

vrmandadi
Builder

To be more clear I am pulling netbox data into Splunk...so there are 900 devices in netbox...sometimes these 900 devices might be turned off or removed or added...So when these changes occur the count differs...I want to see what is the difference when compared hourly...I  was able to find the difference every hour by using the delta..but I want to know what are those different devices for that particular hour..like comparing current hour with previous hour and show the count difference and what is different.

 

Example:

Previous Hour:  1 , 2 ,3

Current Hour : 2,3,4,5,6

Difference Count :2

ID's different : 1,4,5,6

0 Karma

PickleRick
Ultra Champion

So you see for yourself that simply counting is not a reliable way of noticing that the sets are different. If you had 1,2,3,4 during one hour and 3,4,6,9 next hour, you'd miss that 1,2 turned into 6,9.

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...