Splunk Search
Highlighted

## How to find difference in field total over time?

Explorer

I have event data in below format:

``````Sep 15 2017 07:06:07    app=yahoo    dataconsumed=50
Sep 15 2017 08:16:07    app=skype    dataconsumed=150
Sep 14 2017 10:26:07    app=facebook   dataconsumed=10
Sep 14 2017 12:26:07    app=facebook    dataconsumed=5
Sep 13 2017 7:26:07    app=yahoo    dataconsumed=10
Sep 13 2017 9:26:07    app=skype    dataconsumed=50
Sep 12 2017 3:26:07    app=facebook   dataconsumed=80
Sep 12 2017 1:26:07    app=facebook    dataconsumed=0
``````

How should I perform the following tasks:

1. For any given time range, search and split the events in to two halves of "day" or "hours" i.e if "All Time" is selected as time range using Time Picker, I should be able to split above events into two halves by day(firsthalf=sep15-sep14 and secondhalf=sep 13-sep12) or by hour(firsthalf=48hour secondhalf=48hour).
2. Then after splitting events into two halves, I must sum dataconsumed by app in both halves(events split by time) i.e

## time app total_dataconsumed

firsthalf yahoo 50
skype 150

secondhalf yahoo 10
skype 50

3. Find difference between total_dataconsumed by app using firsthalf and secondhalf i.e firsthalf - secindhalf

## app difference

yahoo 40
skype 100

I am still stuck on step 1, I don't seem to understand how should one split the search events into halves/spans and apply stats on both halves?

Tags (4)
Highlighted

## Re: How to find difference in field total over time?

Splunk Employee

There may be an easier way to do this, but you could try..

``````| eventstats min(_time) as startTime, range(_time) as timeElapsed
| eval halfwayMark=startTime+(timeElapsed/2)
| eval series=if(_time<halfwayMark, "firstHalf", "secondHalf")
| chart sum(usage) by app, series
| eval diff=firstHalf-secondHalf
``````
Highlighted

## Re: How to find difference in field total over time?

Explorer

Thanks @jluo [Splunk], but I still can not get a difference between both halves.
...|eval diff=firstHalf-secondHalf does not do anything.

Highlighted

## Re: How to find difference in field total over time?

Splunk Employee

Could you go into detail about what you're seeing? Without more information, I can't tweak the search.

Highlighted

## Re: How to find difference in field total over time?

Esteemed Legend

Try this:

``````Your Base Search Here