How to get result for field value difference?

EvansB · ‎05-23-2022

Working with this query, I'm hoping to get only results where field values are greater than the other.

index="index*"
| eval MonthNumber=strftime(_time,"%m") 
| chart eval(round(avg(durationMs), 0)) AS avg_durationMs by properties.url, MonthNumber 
| rename 04 AS "Apr", 05 AS "May"

I want to get only results of where Apr values is greater than May by 10

richgalloway · ‎05-23-2022

If you only want to see results where the "May" number is greater than the "Apr" number then add a where command to the query.

| where May > Apr

---
If this reply helps you, Karma would be appreciated.

EvansB · ‎05-23-2022

This gives me general results. I need results that are only greater than 10 and beyond. This is for the purpose of setting up an alert when values between May and Apr is greater than 10

Thanks

richgalloway · ‎05-23-2022

Change the where command to test for the desired difference.

| where May > Apr+10

---
If this reply helps you, Karma would be appreciated.

EvansB · ‎05-23-2022

Appreciate your assistance

How to get result for field value difference?

count

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!