Splunk Search

How to generate a search to find delta between totals from yesterday and today?

Communicator

I have a log for a documents database. It gives me a daily report of total documents in each collection (each collection and total is one event in the log).

The powers have asked that I show how many documents were added each day for yesterday's and today's totals. So basically, I need to gather and compute the following:

-2d@d -> collection=master doccount=1000
-1d@d -> collection=master doccount=1200 delta=200
@d -> -> collection=master doccount=1500 delta=300

and I need to do this per collection for about 50 collections.

I'm playing with some pretty complex evals, but I hope there is a simpler way

0 Karma
1 Solution

Champion

Check out streamstats, which does allow a BY clause (to satisfy your per collection requirement).

And a (potentially correct/working) run-anywhere example:

index=_internal idx=* b=*
| bin span=1d _time
| stats sum(b) AS bytes BY _time idx
| streamstats current=f last(bytes) AS last_bytes BY idx
| eval delta=if(isnotnull(last_bytes), bytes-last_bytes, "N/A") 

View solution in original post

0 Karma

Champion

Check out streamstats, which does allow a BY clause (to satisfy your per collection requirement).

And a (potentially correct/working) run-anywhere example:

index=_internal idx=* b=*
| bin span=1d _time
| stats sum(b) AS bytes BY _time idx
| streamstats current=f last(bytes) AS last_bytes BY idx
| eval delta=if(isnotnull(last_bytes), bytes-last_bytes, "N/A") 

View solution in original post

0 Karma

Communicator

I hereby announce my undying love for you and your queries!

Thanks a bunch.

0 Karma