Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to get result for field value difference?

EvansB
Path Finder
‎05-23-2022 12:53 PM

Working with this query, I'm hoping to get only results where field values are greater than the other.

 

 

index="index*"
| eval MonthNumber=strftime(_time,"%m") 
| chart eval(round(avg(durationMs), 0)) AS avg_durationMs by properties.url, MonthNumber 
| rename 04 AS "Apr", 05 AS "May"

 

 

 I want to get only results of where Apr values is greater than May by 10

EvansB_1-1653334771444.png

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-23-2022 01:26 PM

If you only want to see results where the "May" number is greater than the "Apr" number then add a where command to the query.

| where May > Apr

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

EvansB
Path Finder
‎05-23-2022 02:06 PM

This gives me general results. I need results that are only greater than 10 and beyond. This is for the purpose of setting up an alert when values between May and Apr is greater than 10

Thanks

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-23-2022 04:51 PM

Change the where command to test for the desired difference.

 

| where May > Apr+10

 

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

EvansB
Path Finder
‎05-23-2022 05:06 PM

Appreciate your assistance

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Share Your Feedback: On Admin Config Service (ACS)!

Help Us Build a Better Admin Config Service Experience (ACS)   We Want Your Feedback on Admin Config Service ...

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...