Hello,

Thank you so much for your quick response, truly appreciate it.

Delta Meant:

[Delta] = [Today's Events - Yesterday's Events]

[Report] = [Delta] 

Let me know if you need any more clarifications on it.

Simple search then looks like this

your_search earliest=-2d@d latest=@d
| bin _time span=1d
| stats count by _time
| delta count as delta
| where isnotnull(delta)
| fields delta

It will give you a single value 'delta' with a positive (increase) or negative (decrease) of previous day's event count.

Hello,

Thank you again. Yes, it's giving be the values in positive /negative increases. But my interest is to get the list of those events. Any recommendation would be highly appreciated.

That was the purpose of my question around what is 'delta'.First you need to clarify what events constitute a 'difference'. i.e. how can the search know what event yesterday corresponds to its equivalent matching event today.

Please provide some examples of events from 'yesterday' that are

1. The same and should be ignored

2. Different and should be listed in the delta

@bowesmana

Thank you for your quick response. Here are what you requested:

1. The same and should be ignored

Today's Events= Yesterday Events + New Events

2. Different and should be listed in the delta

Only we need Display New Events (Different) as Delta

Please let me know if you need more clarifications. Thank you again.

Clarification required:

You need to be clear on what equality means

If yesterday you have

event1 : time=... message=this is a message

and today you have

event 1: time=... message=this is also a message

is that the same or different?

Please provide examples of what you mean by

today = yesterday

@bowesmana

Ok got it.

yesterday I have

event1 : time=... message=this is a message

event2 : time=... message=this is a message

event 3 : time=... message=this is a message

event4 : time=... message=this is a message

and today I have

event1 : time=... message=this is a message

event2 : time=... message=this is a message

event 3 : time=... message=this is a message

event4 : time=... message=this is a message

event5 : time=... message=this is a message

event6 : time=... message=this is a message

is that the same or different? Events 1-3 in both cases are the same. But Event 4 is different and Event 5-6 completely new events and are also different

Let me know if you need more clarifications. Thank you!

@bowesmana

One more to add: It should only display events 4, 5, and 6 as a Delta. Thank you again.

Why is event 4 different?

So, are you saying that if you have 10 events yesterday and 12 events today, then it DOES NOT MATTER what those event contain, you ONLY want to know that the difference is 2 events and then to see all events above event 10.

What if you had 10 events yesterday and 8 events today - what do you want to see?

It would be really helpful if you could provide a real scenario example of your data and explain what it is you are trying to see

@bowesmana

It was just an example, there might be more events. In our last example, we only need to see, events 4,5, and 6, since info/content of events 4,5, and 6 are not the same what we had yesterday. Thank you again!

There is a set command - https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Set

But I'd rather use the "clasify and filter" approach.

Something like

<your search>
| eval is_yesterday=if(now()-_time>86400,1,0)
| stats values(is_yesterday) by <your relevant fields>
| search NOT is_yesterday=1

Of course you can adjust the is_yesterday calculation to your needed condition.