I have an hourly alert in Splunk which produces results like:
host error count A database down 20 B server down 15
How I can compare this data with previous hour's data and show the ups and downs in the result?
I'd like to do it without the searching the previous hour's data again for performance reasons.
You can do this by creating a summary index, and then selecting "enable summary indexing" under alert actions. You can then search the summary index and use something like
steamstats with an eval function to compare the current hour to the last hour.
I would ask your Splunk admin to do it. There is the option of editing the search to outputcsv. Then, you could do an inputlookup on that and do streamstats, but a CSV file isn't going to scale very well...