Hi Everyone,

I need to migrate the report from sumo logic to splunk . In sumo logic report we have time compare option The compare operator allows you to compare current search results with data from a past time period for aggregate searches


For eg : if you wanted to compare the behavior of backfill errors count with the span of 5min of events per hour  along with the timeshift 3min . it gives the count of events for every 5min along with the count at 3 min prior to that events .The compare operator allows you to compare current search results with data from a past time period for aggregate searches


How to achieve this in Splunk ?

Here is the sample sumo logic query 

(_sourceCategory=app (error OR fail*) AND exception)

| "Quote Sequences Error"as ALERT_DESC
| _sourcecategory as SUMO_SOURCE_CATEGORY
| "APP-PROD" as APP_ID
| _sourcehost as APP_SERVER_NAME
| _sourcename as APP_SOURCE_CATEGORY
| _sourcecategory as SUMO_SOURCE_CATEGORY
| timeslice 3m
| count by _timeslice,APP_ID,APP_SERVER_NAME,APP_SOURCE_CATEGORY,SUMO_SOURCE_CATEGORY,ALERT_DESC
| formatDate(_timeslice, "HH:mm:ss:SSS") as EventTime
| if(_count > "100","1",
if(_count > "50","2",
if(_count > "3" and EventTime > "12:00:00" and EventTime < "05:00:00", "4",
if(_count > "3", "3","0")))) as sumo_severity
| format ("%s total errors in the last 3 minutes", _count) as notes
| compare with timeshift 3m
| if (isBlank(sumo_severity_3m) , "0", sumo_severity_3m) as sumo_severity_3m
| where sumo_severity != sumo_severity_3m and !(isblank(sumo_severity))
| sort by _timeslice desc | fields - EventTime, EventTime_3m