Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to find difference between a current event and previous event and display the changes?

armonsal
Explorer
‎10-23-2014 07:13 AM

Hello everyone,

I have events with this format

10/23/2014 04:00:02 -0300, search_name=CDR_INSTITUCIONES_APP, search_now=1414047600.000, info_max_time=1414047600.000, info_search_time=1414047602.224, INST_CODG=9850, INST_ESTD=0, INST_NMCR="AFP Habitat", fecha_creacion="03-08-2007 08:58:49", fecha_mod="03-08-2007 08:58:49"

I extracted the log from database with Splunk DBX with a scheduled search. I need to find if a difference exists between the current event and the previous event (only 1 previous event not more). If i have a difference, i need show this to detect changes in the accounts.

To identify each unique event the fields are INST_NMCR and INST_CODG

Help me please.

0 Karma
Reply

somesoni2
Revered Legend
‎10-23-2014 02:48 PM

Try this

index="cdr_app_instituciones" INST_NMCR="SIISA" | eval INST_CODG=if(INST_CODG="7434","9850",INST_CODG) | search INST_CODG="9850"  | stats first(_time) as today_time last(_time) as yest_time first(fecha_mod)  as today_fecha_mod last(fecha_mod)  as yest_fecha_mod by INST_NMCR | where today_fecha_mod!=yest_fecha_mod
0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎10-23-2014 07:31 AM

You want to use the command delta to calculate the evolution between 2 events.

http://docs.splunk.com/Documentation/Splunk/6.1.4/SearchReference/Delta

example with values raising without sub digits.

mysearch | delta myfield AS evolution p=1 | eval whathappened=case(evolution>=1,"raised",evolution<=1,"went down",1=1,"not changed")

0 Karma
Reply

armonsal
Explorer
‎10-23-2014 07:37 AM

alt textThanks you so much. But if i need to find the difference between two tables, for example my previous results have one table from yesterday with multiple users and today i have the same table but with changes, i need to find the difference between two result tables. the case is always comparing the results of yesterday with today's day (from two tables)

i tried the query but it shows me all events with the field "what happened", i just need to see the changes between current events and only previous events (not all previous event only the previous most recent)

If you see in my attachement the field fecha_mod change but the field whathappened not show the change...
http://answers.splunk.com/storage/attachments/3455-example.png

Preview file
48 KB
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

In today’s data-heavy environment, organizations are caught in a data distribution dilemma. As data volumes ...

GA: New Data Management App in Splunk Platform

Streamlining Data Management: Introducing a unified experience in Splunk Managing data at scale shouldn’t feel ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...