Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to get result for field value difference?

EvansB
Path Finder
‎05-23-2022 12:53 PM

Working with this query, I'm hoping to get only results where field values are greater than the other.

 

 

index="index*"
| eval MonthNumber=strftime(_time,"%m") 
| chart eval(round(avg(durationMs), 0)) AS avg_durationMs by properties.url, MonthNumber 
| rename 04 AS "Apr", 05 AS "May"

 

 

 I want to get only results of where Apr values is greater than May by 10

EvansB_1-1653334771444.png

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-23-2022 01:26 PM

If you only want to see results where the "May" number is greater than the "Apr" number then add a where command to the query.

| where May > Apr

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

EvansB
Path Finder
‎05-23-2022 02:06 PM

This gives me general results. I need results that are only greater than 10 and beyond. This is for the purpose of setting up an alert when values between May and Apr is greater than 10

Thanks

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-23-2022 04:51 PM

Change the where command to test for the desired difference.

 

| where May > Apr+10

 

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

EvansB
Path Finder
‎05-23-2022 05:06 PM

Appreciate your assistance

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...