Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Trying to get the value of a field for the previous month

jvmerilla
Path Finder
‎12-06-2017 05:43 PM

Hi,

I'm working with an old data where I need to get the value of a field for the 'supposed' previous month.

Here's my query:

 index="sample_data" sourcetype="management_sampledata.csv" "Ticket Type"=* Priority=* Ticket_No=* 
    | eval _time = strptime(Date, "%m/%d/%y")
    | timechart span=1mon count(eval(Status="Closed")) as Closed/Cancelled, count as Inflow
    | eval Backlog_Total = Inflow - 'Closed/Cancelled'

And here's the result:

alt text

What I'm trying to do is to get the value of Backlog_Total of the supposed previous month which is '2017-05'.
How would I be able to do it? And also it needs to be dynamic.

I hope you can help me with this.

Thank you.

Tags (3)
Preview file
9 KB
0 Karma
Reply

HiroshiSatoh
Champion
‎12-06-2017 06:14 PM

You can get the difference from the previous event with "delta".

 index="sample_data" sourcetype="management_sampledata.csv" "Ticket Type"=* Priority=* Ticket_No=* 
     | eval _time = strptime(Date, "%m/%d/%y")
     | timechart span=1mon count(eval(Status="Closed")) as Closed/Cancelled, count as Inflow
     | eval Backlog_Total = Inflow - 'Closed/Cancelled'
     | delta Backlog_Total as previous_month_Backlog_Total 
     | eval previous_month_Backlog_Total=Backlog_Total - previous_month_Backlog_Total
0 Karma
Reply

jvmerilla
Path Finder
‎12-06-2017 06:41 PM

Hi @HiroshiSatoh,

I tried it but it doesn't work the way I want it.
It does not get the exact value of the field. It only got 180 instead of 183.

0 Karma
Reply

HiroshiSatoh
Champion
‎12-06-2017 06:52 PM

I was wrong.

| eval previous_month_Backlog_Total=Backlog_Total + previous_month_Backlog_Total
| eval previous_month_Backlog_Total=Backlog_Total - previous_month_Backlog_Total

delta gets the difference. 180 is the difference.
363-183=180

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...