Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

compare current hour and previous hour value in search and find difference ?

pgadhari
Builder
‎01-13-2020 10:46 PM

I want to compare current top of an hour value with previous top of an hour value. For e.g. between 9 am to 10 am - get the value from exactly 10 am as curr_value and get the value from exactly 9 am as prev_value, find the difference and show the value. This will be applicable for next hour also :

I am using below query to get the earliest and latest value of the hour, but not sure on whether the events are returning proper :

index=dc sourcetype=total_energy earliest=-1h@h latest=@h | stats latest(value) as curr_value earliest(value) as hour_before by source,snmp_index

Please help ?

0 Karma
Reply

TISKAR
Builder
‎01-15-2020 01:18 AM

Hello,

I thinks your request is good, to verify you can run this request:

index=dc sourcetype=total_energy earliest=-1h@h latest=@h  | sort  - _time | table _time value source,snmp_index

And:

index=dc sourcetype=total_energy earliest=-1h@h latest=@h  | sort   _time | table _time value source,snmp_index
0 Karma
Reply

to4kawa
Ultra Champion
‎01-14-2020 01:46 AM

UPDATE2:

index=dc sourcetype=total_energy earliest=-1h@h latest=@h 
| stats last(_time) as curr_time last(value) as curr_value first(_time) as hour_beforetime first(value) as hour_before by source,snmp_index
| fieldformat curr_time=strftime(curr_time,"%c")
| fieldformat hour_beforetime=strftime(hour_beforetime,"%c")

how about this?

0 Karma
Reply

pgadhari
Builder
‎01-14-2020 11:03 PM

actually, the value field is not the timestamp field. It is just, some energy value. I think you are taking it as "epoch" value ? its not that.

What I want to know is - the latest (energy) value and earliest (energy) value, which I am getting in the value field is of the proper time of curr_hour and prev_hour ? How do I verify that ? Hope you got it ?

0 Karma
Reply

to4kawa
Ultra Champion
‎01-15-2020 01:23 AM

my answer is ammended. I'm misunderstand.

0 Karma
Reply

pgadhari
Builder
‎01-14-2020 02:31 AM

alt text

Preview file
1 KB
0 Karma
Reply

pgadhari
Builder
‎01-14-2020 02:33 AM

in the above image, how do I verify whether curr_value is of 1 PM and hour_before is of 2 PM ?

Query I am using is :

index=dc sourcetype=total_energy earliest=-1h@h latest=@h  | stats last(value) as curr_value first(value) as hour_before by source,snmp_index
0 Karma
Reply

to4kawa
Ultra Champion
‎01-14-2020 02:43 AM

@pgadhari
my answer is updated, please confirm.

0 Karma
Reply

pgadhari
Builder
‎01-15-2020 09:17 PM

ok. I will check and revert. Thanks.

0 Karma
Reply

pgadhari
Builder
‎01-14-2020 02:29 AM

latest and earliest will also do the same, but is it possible to check whether it is really taking the proper first and last value bu using _time ?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...