Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to write a search to find the difference betwe...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to write a search to find the difference between values in multiple fields?
Hello,
I would like to find the difference between values in a couple of fields for two months.
I figured out how to do that just for one field:
|set diff [search index = test_im REPORT_PERIOD="2015-10-01 00:00:00"| stats count by Client Type Type2| fields - count] [search index = test_im REPORT_PERIOD="2015-09-01 00:00:00"| stats count by Client Type Type2 | fields - count]
However, for a couple fields, it's not working properly. It would be nice if the result looked like this (unique difference values):
Client Type Type2
<difference unique values> <difference unique values> <difference unique values>
Thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Here is the option that you can use. I assume you have a variables called REPORT_PERIOD. Then you can use join or depends on visualization and your needs you can also use appendcols command.
search index = test_im REPORT_PERIOD="2015-10-01 00:00:00"| stats count by Client Type Type2|fields - count
|join REPORT_PERIOD [search index = test_im REPORT_PERIOD="2015-09-01 00:00:00"|stats count by Client Type Type2|fields - count]
|table Client,Type,Type2
You can find more details from the link below.
http://docs.splunk.com/Documentation/Splunk/6.3.1/SearchReference/Join
http://docs.splunk.com/Documentation/Splunk/6.3.1/SearchReference/Appendcols
Hope it is clear.
Thanks
Gokhan
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Unfortunately this is not working. I want to see the different unique values which are exist in one data set and not exist in second one.
e.g. If a new client appear in new month this need to be shown
or if a client which exists in previous month but in current month is not visible
Thank you with helping here
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi ,
Is there any chance to give those data set tables as an example?
Is it logged clients or new user registration data? I mean you can see the 1 person information more than 1 time in 1 data set in the same period?
Thanks
Gokhan
What Is Splunk? Here’s What You Can Do with Splunk
Level Up Your .conf25: Splunk Arcade Comes to Boston
Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...
