Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to search the percentage change between multip...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jihape
Path Finder
11-09-2015
09:39 PM
So I loaded some old stock market data into Splunk and now I'm trying to make a big table that shows the percentage change from 1 week ago, 1 month ago etc.
What I want to end up with is something like this:
** symbol | 1w change | 1m change **
SPY | 5% | 10%
SPLK | 3% | 15%
All events have the fields like this:
Adj Close = 210.039993
Close = 210.039993
Date = 2015-11-06
High = 210.320007
Low = 208.460007
Open = 209.740005
Volume = 105423100
category = Large Blend
index = quote
name = SPDR S&P 500 ETF
sourcetype = his_quote
symbol = SPY
Is it possible to do what I want to? I have not been able to get close to what I want.
I tried to do something like this (pseudo code), but it is not working for me.
search get all quote data | save latest as close_now
| subsearch [ search earliest=-1w | save latest as close_1w_ago
| eval diff_pct=(close_now-close_1w_ago)/close_1w_ago*100
| table symbol diff_pct as "1w change"
Any help would be appreciated
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jihape
Path Finder
11-12-2015
07:16 PM
I figured it out.
index=quote earliest=-1w latest=now | stats earliest(Close) as e_close latest(Close) as l_close by symbol | eval 1w=(l_close-e_close)/e_close*100
| appendcols [ search index=quote earliest=-2w latest=now | stats earliest(Close) as e_close latest(Close) as l_close by symbol | eval 2w=(l_close-e_close)/e_close*100 ]
| fields symbol 1w 2w
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jihape
Path Finder
11-12-2015
07:16 PM
I figured it out.
index=quote earliest=-1w latest=now | stats earliest(Close) as e_close latest(Close) as l_close by symbol | eval 1w=(l_close-e_close)/e_close*100
| appendcols [ search index=quote earliest=-2w latest=now | stats earliest(Close) as e_close latest(Close) as l_close by symbol | eval 2w=(l_close-e_close)/e_close*100 ]
| fields symbol 1w 2w
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
11-10-2015
09:03 AM
Have you looked at appendcols?
http://docs.splunk.com/Documentation/Splunk/6.3.1/SearchReference/Appendcols
Get Updates on the Splunk Community!
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
The Transformative Power of AI and ML in Enhancing Observability
In the realm of IT operations, the ...
.conf24 | Registration Open!
Hello, hello! I come bearing good news: Registration for .conf24 is now open!
conf is Splunk’s rad annual ...
ICYMI - Check out the latest releases of Splunk Edge Processor
Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.
HEC Receiver authorization ...
