Splunk Search

eval/sum field

EvansB
Path Finder

Hi folks,
What query can I use to sum up my field "viewer.Id" to see how many viewers we have between 01/22/2022 and 02/02/2022. I would like to see the count of Increment/decrement from my results and also in % by comparing it with different dates.

Thanks
Evans

Labels (4)
Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

What do your events look like?

Do you want to add up the values of viewer.id or count how many events each viewer id has or how many distinct viewer ids between those dates?

Which dates do you want to compare against?

Which increments/decrements are you trying to discover?

0 Karma

EvansB
Path Finder

Thanks for the quick turnaround,

I'm hoping to perform 2 tasks
1. Add up the values of viewer.id, and how many distinct viewer ids between those dates?

2. I want to get the count of the total "viewer_id" for the past week against this week and compare if there were more viewers or less.
I also want to get this result not only as a count but also convert (more viewers or less total count) to percentage.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

It is still not clear what you are trying to do - your viewerId is not a number which can be added, it is a string of characters. You can however count the distinct values of viewerId or count how many times each viewerId occurs in your time period

| stats dc(properties.request.viewerId)

| stats count by properties.request.viewerId
0 Karma

EvansB
Path Finder

You're correct,
I want to get a count of total viewerId that occurs in my time period(past week) and compare it with another time period(this week) to see possible increase or decrease of all viewerId. 
Also, I want to convert this result into percentage.
Thank you.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| bin span=1w _time
| stats dc(properties.request.viewerId) by _time
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| bin span=1w _time
| stats dc(properties.request.viewerId) as count by _time
| autoregress count as previous
| eval diff=previous-count
| eval percent=100*diff/count
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...