Splunk Search

## How to generate a search to find delta between totals from yesterday and today?

Communicator

I have a log for a documents database. It gives me a daily report of total documents in each collection (each collection and total is one event in the log).

The powers have asked that I show how many documents were added each day for yesterday's and today's totals. So basically, I need to gather and compute the following:

-2d@d -> collection=master doccount=1000
-1d@d -> collection=master doccount=1200 delta=200
@d -> -> collection=master doccount=1500 delta=300

and I need to do this per collection for about 50 collections.

I'm playing with some pretty complex evals, but I hope there is a simpler way

Tags (4)
1 Solution
Champion

Check out streamstats, which does allow a BY clause (to satisfy your per collection requirement).

And a (potentially correct/working) run-anywhere example:

``````index=_internal idx=* b=*
| bin span=1d _time
| stats sum(b) AS bytes BY _time idx
| streamstats current=f last(bytes) AS last_bytes BY idx
| eval delta=if(isnotnull(last_bytes), bytes-last_bytes, "N/A")
``````
Champion

Check out streamstats, which does allow a BY clause (to satisfy your per collection requirement).

And a (potentially correct/working) run-anywhere example:

``````index=_internal idx=* b=*
| bin span=1d _time
| stats sum(b) AS bytes BY _time idx
| streamstats current=f last(bytes) AS last_bytes BY idx
| eval delta=if(isnotnull(last_bytes), bytes-last_bytes, "N/A")
``````
Communicator

I hereby announce my undying love for you and your queries!

Thanks a bunch.

Take the 2021 Splunk Career Survey

### Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey.Earn \$50 in Amazon cash! Full Details! >

Get Updates on the Splunk Community!