Splunk Search

eval/sum field

EvansB
Explorer

Hi folks,
What query can I use to sum up my field "viewer.Id" to see how many viewers we have between 01/22/2022 and 02/02/2022. I would like to see the count of Increment/decrement from my results and also in % by comparing it with different dates.

Thanks
Evans

Labels (4)
Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

What do your events look like?

Do you want to add up the values of viewer.id or count how many events each viewer id has or how many distinct viewer ids between those dates?

Which dates do you want to compare against?

Which increments/decrements are you trying to discover?

0 Karma

EvansB
Explorer

Thanks for the quick turnaround,

I'm hoping to perform 2 tasks
1. Add up the values of viewer.id, and how many distinct viewer ids between those dates?

2. I want to get the count of the total "viewer_id" for the past week against this week and compare if there were more viewers or less.
I also want to get this result not only as a count but also convert (more viewers or less total count) to percentage.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

It is still not clear what you are trying to do - your viewerId is not a number which can be added, it is a string of characters. You can however count the distinct values of viewerId or count how many times each viewerId occurs in your time period

| stats dc(properties.request.viewerId)

| stats count by properties.request.viewerId
0 Karma

EvansB
Explorer

You're correct,
I want to get a count of total viewerId that occurs in my time period(past week) and compare it with another time period(this week) to see possible increase or decrease of all viewerId. 
Also, I want to convert this result into percentage.
Thank you.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| bin span=1w _time
| stats dc(properties.request.viewerId) by _time
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| bin span=1w _time
| stats dc(properties.request.viewerId) as count by _time
| autoregress count as previous
| eval diff=previous-count
| eval percent=100*diff/count
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...