Splunk Search

How to generate a search to find delta between totals from yesterday and today?

feickertmd
Communicator

I have a log for a documents database. It gives me a daily report of total documents in each collection (each collection and total is one event in the log).

The powers have asked that I show how many documents were added each day for yesterday's and today's totals. So basically, I need to gather and compute the following:

-2d@d -> collection=master doccount=1000
-1d@d -> collection=master doccount=1200 delta=200
@d -> -> collection=master doccount=1500 delta=300

and I need to do this per collection for about 50 collections.

I'm playing with some pretty complex evals, but I hope there is a simpler way

0 Karma
1 Solution

micahkemp
Champion

Check out streamstats, which does allow a BY clause (to satisfy your per collection requirement).

And a (potentially correct/working) run-anywhere example:

index=_internal idx=* b=*
| bin span=1d _time
| stats sum(b) AS bytes BY _time idx
| streamstats current=f last(bytes) AS last_bytes BY idx
| eval delta=if(isnotnull(last_bytes), bytes-last_bytes, "N/A") 

View solution in original post

0 Karma

micahkemp
Champion

Check out streamstats, which does allow a BY clause (to satisfy your per collection requirement).

And a (potentially correct/working) run-anywhere example:

index=_internal idx=* b=*
| bin span=1d _time
| stats sum(b) AS bytes BY _time idx
| streamstats current=f last(bytes) AS last_bytes BY idx
| eval delta=if(isnotnull(last_bytes), bytes-last_bytes, "N/A") 
0 Karma

feickertmd
Communicator

I hereby announce my undying love for you and your queries!

Thanks a bunch.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...