Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search for Yesterday Total Event Minus Today's Event?

Akmal57
Path Finder
‎03-05-2023 05:52 PM

Hi, 

I want to minus yesterday' total event with today's total event and divide by yesterday's total event.

To see Increase in Intrusion Events.

Please help me on query part.

Labels (7)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎03-05-2023 09:27 PM

Well, as long as the requirement is mathematically well define, everything is possible in SPL.  timechart in previous answers was a shortcut.  To split results by index, we'll return to stats command.

<your event search> earliest=-2d@d latest=-0d@d
| bin span=1d@d _time
| stats count values(sourcetype) as sourcetypes values(host) as hosts by index _time
| stats earliest(count) as previous_count latest(count) as yesterday_count earliest(hosts) as previous_hosts latest(hosts) as yesterday_hosts by index
| eval diff = previous_count - yesterday_count

 

View solution in original post

Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎03-05-2023 06:15 PM 
<your event search> earliest=-1d@d
| timechart span=1d@d count
| stats earliest(count) as yesterday latest(count) as today
| eval diff = today - yesterday

I am not sure how useful this calculation is, however, because you are probably search in the middle of "today", so the increase may not be reflected, if any.  Do you mean to obtain the difference between yesterday and the day before yesterday? (Both will be full 24 hours.)

Reply
Solved! Jump to solution

Akmal57
Path Finder
‎03-05-2023 06:34 PM

Hi yuanliu,

Your query is work very well

So, if i want to see difference between yesterday and the day before yesterday i need to change 

<your event search> earliest=-1d@d

to -2d@d?

Is it possible to see the host or sourcetype in the result?

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎03-05-2023 08:08 PM

Change to

<your event search> earliest=-2d@d latest=-0d@d

Yes, you can add more info.  But depending on what exact info you want to display, the strategy can vary greatly.  Here is one clumsy example:

<your event search> earliest=-2d@d latest=-0d@d
| timechart span=1d@d count values(sourcetype) as sourcetypes values(host) as hosts
| stats earliest(count) as previous_count latest(count) as yesterday_count earliest(sourcetypes) as previous_sourcetypes latest(sourcetypes) as yesterday_sourcetypes earliest(hosts) as previous_hosts latest(hosts) as yesterday_hosts
| eval diff = yesterday_count - previous_count

 

Reply
Solved! Jump to solution

Akmal57
Path Finder
‎03-05-2023 08:32 PM

Its work great,

last thing i want to ask,

how i want to use this query for all available index and the result will compare the event by all index.

eg field as below:

index |  yesterday count | today count | yesterday host | today host | diff

so the result will be based on index

Is it possible?

0 Karma
Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎03-05-2023 09:27 PM

Well, as long as the requirement is mathematically well define, everything is possible in SPL.  timechart in previous answers was a shortcut.  To split results by index, we'll return to stats command.

<your event search> earliest=-2d@d latest=-0d@d
| bin span=1d@d _time
| stats count values(sourcetype) as sourcetypes values(host) as hosts by index _time
| stats earliest(count) as previous_count latest(count) as yesterday_count earliest(hosts) as previous_hosts latest(hosts) as yesterday_hosts by index
| eval diff = previous_count - yesterday_count

 

Reply
Solved! Jump to solution

Akmal57
Path Finder
‎03-05-2023 10:01 PM

Thank You Very Much yuanliu,

its work amazing as i want,

Your query really help me. 

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...