Splunk Search

How to find Delta between 2 sets of events?

SplunkDash
Motivator

Hello,

I have use cases to find the Delta between 2 sets of events. We get events once a day, our objective is to find the delta between current events (event received today) and the events we received yesterday and create a report based on that delta (events). Any recommendation would be highly appreciated. Thank you so much.

Labels (1)
Tags (1)
0 Karma

bowesmana
SplunkTrust
SplunkTrust

Not sure what you understand by "delta", but this sort of starting point

(search_today_events) OR (search_yesterday_events)
| eval group=if(_time > relative_time(_time, "@d"), "today", "yesterday")
| stats count by group

This will simply search for both yesterday's events and today's events and do a "count" of total events found in each "group"

If your meaning of 'delta' encompasses other differences, e.g. count of logons, sales of product, then you will have to expand on this basic type of search

 

SplunkDash
Motivator

Hello,

Thank you so much for your quick response, truly appreciate it.

Delta Meant:

[Delta] = [Today's Events - Yesterday's Events]

[Report] = [Delta] 

Let me know if you need any more clarifications on it.

 

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Simple search then looks like this

your_search earliest=-2d@d latest=@d
| bin _time span=1d
| stats count by _time
| delta count as delta
| where isnotnull(delta)
| fields delta

It will give you a single value 'delta' with a positive (increase) or negative (decrease) of previous day's event count.

SplunkDash
Motivator

Hello,

Thank you again. Yes, it's giving be the values in positive /negative increases. But my interest is to get the list of those events. Any recommendation would be highly appreciated.

0 Karma

bowesmana
SplunkTrust
SplunkTrust

That was the purpose of my question around what is 'delta'.First you need to clarify what events constitute a 'difference'. i.e. how can the search know what event yesterday corresponds to its equivalent matching event today.

Please provide some examples of events from 'yesterday' that are

1. The same and should be ignored

2. Different and should be listed in the delta

SplunkDash
Motivator

@bowesmana

Thank you for your quick response. Here are what you requested:

1. The same and should be ignored

Today's Events= Yesterday Events + New Events

2. Different and should be listed in the delta

Only we need Display New Events (Different) as Delta

Please let me know if you need more clarifications. Thank you again.

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Clarification required:

You need to be clear on what equality means

If yesterday you have

event1 : time=... message=this is a message

and today you have

event 1: time=... message=this is also a message

is that the same or different?

Please provide examples of what you mean by

today = yesterday

0 Karma

SplunkDash
Motivator

@bowesmana

Ok got it.

yesterday I have

event1 : time=... message=this is a message

event2 : time=... message=this is a message

event 3 : time=... message=this is a message

event4 : time=... message=this is a message

and today I have

event1 : time=... message=this is a message

event2 : time=... message=this is a message

event 3 : time=... message=this is a message

event4 : time=... message=this is a message

event5 : time=... message=this is a message

event6 : time=... message=this is a message

is that the same or different? Events 1-3 in both cases are the same. But Event 4 is different and Event 5-6 completely new events and are also different

Let me know if you need more clarifications. Thank you!

0 Karma

SplunkDash
Motivator

@bowesmana

One more to add: It should only display events 4, 5, and 6 as a Delta. Thank you again.

Tags (1)
0 Karma

bowesmana
SplunkTrust
SplunkTrust

Why is event 4 different?

So, are you saying that if you have 10 events yesterday and 12 events today, then it DOES NOT MATTER what those event contain, you ONLY want to know that the difference is 2 events and then to see all events above event 10.

What if you had 10 events yesterday and 8 events today - what do you want to see?

It would be really helpful if you could provide a real scenario example of your data and explain what it is you are trying to see

0 Karma

SplunkDash
Motivator

@bowesmana

It was just an example, there might be more events. In our last example, we only need to see, events 4,5, and 6, since info/content of events 4,5, and 6 are not the same what we had yesterday. Thank you again!

Tags (1)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

There is a set command - https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Set

But I'd rather use the "clasify and filter" approach.

Something like

<your search>
| eval is_yesterday=if(now()-_time>86400,1,0)
| stats values(is_yesterday) by <your relevant fields>
| search NOT is_yesterday=1

Of course you can adjust the is_yesterday calculation to your needed condition.

Get Updates on the Splunk Community!

Monitoring Postgres with OpenTelemetry

Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...