Splunk Search

How to find difference in value between search strings?

Gowtham0809
New Member

Hi,

I am using a single search string with two different time rage to find the disk space.

Search string : index= source="PerfmonMk:Free Disk Space" "%_Free_Space"="*" E | eval volume=Free_Megabytes/1024 | chart avg(volume)
1. Time range of last 24 hours
2. Time range of Previous month

By using this I am getting two different charts as output.

I need the string to find the difference between these two charts. or a single string to define the disk space of current day and 30 days before (previous month)

Thanks,

Tags (1)
0 Karma
1 Solution

jkat54
SplunkTrust
SplunkTrust

How about this?

index_earliest=-1d@d index=index source="PerfmonMk:Free Disk Space" "%_Free_Space"="*" E 
| eval volume=Free_Megabytes/1024 
| bin _time bins=30 
| stats avg(volume) as daily_Kilobytes by _time
| append 
 [
 search index_earliest=-1mon@mon index_latest=@m index=index source="PerfmonMk:Free Disk Space" "%_Free_Space"="*" E 
| bin _time span=1d
| eval volume=Free_Megabytes/1024 
| stats avg(volume) as monthly_Kilobytes by _time
 ]
| timechart values(daily_Kilobytes) values(monthly_Kilobytes) 

View solution in original post

0 Karma

jkat54
SplunkTrust
SplunkTrust

How about this?

index_earliest=-1d@d index=index source="PerfmonMk:Free Disk Space" "%_Free_Space"="*" E 
| eval volume=Free_Megabytes/1024 
| bin _time bins=30 
| stats avg(volume) as daily_Kilobytes by _time
| append 
 [
 search index_earliest=-1mon@mon index_latest=@m index=index source="PerfmonMk:Free Disk Space" "%_Free_Space"="*" E 
| bin _time span=1d
| eval volume=Free_Megabytes/1024 
| stats avg(volume) as monthly_Kilobytes by _time
 ]
| timechart values(daily_Kilobytes) values(monthly_Kilobytes) 
0 Karma

DalJeanis
Legend

@jkat54 - m is minute. Probably need to use -30d@d.

0 Karma

Gowtham0809
New Member

Thank you and it worked

0 Karma

jkat54
SplunkTrust
SplunkTrust

i always do that, thanks... updated to mon for month

0 Karma

adonio
Ultra Champion

how about using timechart command? set the timepicker to last 30 days

 index= source="PerfmonMk:Free Disk Space" "%_Free_Space"="*" E | eval volume=Free_Megabytes/1024 | timechart span=24h avg(volume)

hope it helps

0 Karma

Gowtham0809
New Member

Thank you and it worked

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...