Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

eval/sum field

EvansB
Path Finder
‎02-03-2022 05:12 PM

Hi folks,
What query can I use to sum up my field "viewer.Id" to see how many viewers we have between 01/22/2022 and 02/02/2022. I would like to see the count of Increment/decrement from my results and also in % by comparing it with different dates.

Thanks
Evans

Labels (4)
Labels
Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-03-2022 08:41 PM

What do your events look like?

Do you want to add up the values of viewer.id or count how many events each viewer id has or how many distinct viewer ids between those dates?

Which dates do you want to compare against?

Which increments/decrements are you trying to discover?

0 Karma
Reply

EvansB
Path Finder
‎02-04-2022 06:38 AM

Thanks for the quick turnaround,

I'm hoping to perform 2 tasks
1. Add up the values of viewer.id, and how many distinct viewer ids between those dates?

2. I want to get the count of the total "viewer_id" for the past week against this week and compare if there were more viewers or less.
I also want to get this result not only as a count but also convert (more viewers or less total count) to percentage.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-05-2022 08:44 AM

It is still not clear what you are trying to do - your viewerId is not a number which can be added, it is a string of characters. You can however count the distinct values of viewerId or count how many times each viewerId occurs in your time period

| stats dc(properties.request.viewerId)

| stats count by properties.request.viewerId
0 Karma
Reply

EvansB
Path Finder
‎02-05-2022 09:08 AM

You're correct,
I want to get a count of total viewerId that occurs in my time period(past week) and compare it with another time period(this week) to see possible increase or decrease of all viewerId. 
Also, I want to convert this result into percentage.
Thank you.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-05-2022 09:14 AM 
| bin span=1w _time
| stats dc(properties.request.viewerId) by _time
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-05-2022 09:34 AM 
| bin span=1w _time
| stats dc(properties.request.viewerId) as count by _time
| autoregress count as previous
| eval diff=previous-count
| eval percent=100*diff/count
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Splunk Observability Metrics Cost Optimization

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...