Splunk Search

How to see a difference between previous month to this month?

vishalduttauk
Communicator

I have a simple search which is satisfaction_date=0 OR close_date=0 AND status=8 in the previous month. I now have a requirement where users want to see (last 30 days) where those records are now tagged with a different status. The unique identifier with each record is a proposal_id.

 

i.e in October proposal vdutta1 had a satisfaction date as 0 and status as 8. Proposal vdutta1 now has a satisfaction date as 0 and status as 6 so this record should be shown.

 

Can you help?

Labels (3)
0 Karma
1 Solution

yuanliu
SplunkTrust
SplunkTrust

Given that the requirement only concerns final status, I have a suspicion that your initial state is "(satisfaction_date=0 OR close_date=0) AND status=8", not "satisfaction_date=0 OR close_date=0 AND status=8".  So, I'll start from this one.

(satisfaction_date = 0 OR close_date = 0) status = *
| eval month = if(_time < strptime(strftime(now(), "%Y-%m") . "-01", "%F"), "previous", "current")
| stats latest(status) as status by month proposal_id
| eval status = month . ":" . status
| stats values(status) as status by proposal_id
| where status == "prevous:0" AND NOT status == "current:0"

Hope this helps.  (Granted, using string manipulation for filtering is silly; there can be many other ways to do it.)

View solution in original post

yuanliu
SplunkTrust
SplunkTrust

Given that the requirement only concerns final status, I have a suspicion that your initial state is "(satisfaction_date=0 OR close_date=0) AND status=8", not "satisfaction_date=0 OR close_date=0 AND status=8".  So, I'll start from this one.

(satisfaction_date = 0 OR close_date = 0) status = *
| eval month = if(_time < strptime(strftime(now(), "%Y-%m") . "-01", "%F"), "previous", "current")
| stats latest(status) as status by month proposal_id
| eval status = month . ":" . status
| stats values(status) as status by proposal_id
| where status == "prevous:0" AND NOT status == "current:0"

Hope this helps.  (Granted, using string manipulation for filtering is silly; there can be many other ways to do it.)

vishalduttauk
Communicator

Thanks @yuanliu this has worked a treat! :grinning_face:

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...