Splunk Search

How to show Trending compared to last month value

avni26
Explorer

Hello ,
I want to show trending compared to last score calculated.
I have multiple single panels calculating one field "score"for last month(August) based on some condition like last_month_count(August count) > last2_month (july count)
and taking summation of all panel's result value in another dashboard Panel as total_score
Now, I want to show trending compared to last total_ score to this month total_score.
Please suggest ,how to approach for the same.
Thanks.

0 Karma

DavidHourani
Super Champion

Hi @avni26,

As Rich suggested you can do this using timewrap whoever if that doesn't work for you then you can use append instead to build your search as shown in the first answer here :
https://answers.splunk.com/answers/371015/display-comparison-between-last-week-vs-this-week.html

Let me know what your search looks like if the above link didn't work for you so we can try and fix it.

Cheers,
David

0 Karma

avni26
Explorer

@DavidHourani , yes append only do. But my query is already too long and also have several panel's each having their independent index . By append ,I have to write all query again for last month. 😞
I guess, i have to use report for the same.

0 Karma

DavidHourani
Super Champion

How about using an eval to create a field containing "Current Month" and "last Month" based on the time and then run a timechart by that field ?

0 Karma

avni26
Explorer

@DavidHourani yes, this can be perfect. Please share any sample query for more understanding. If possible.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Have you looked at the timewrap command?

---
If this reply helps you, an upvote would be appreciated.
0 Karma

avni26
Explorer

yes, timewrap will not work in my query , as for each panel , i am just searching for last month.
Any other way?

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!