Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

eval/sum field

EvansB
Path Finder
‎02-03-2022 05:12 PM

Hi folks,
What query can I use to sum up my field "viewer.Id" to see how many viewers we have between 01/22/2022 and 02/02/2022. I would like to see the count of Increment/decrement from my results and also in % by comparing it with different dates.

Thanks
Evans

Labels (4)
Labels
Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-03-2022 08:41 PM

What do your events look like?

Do you want to add up the values of viewer.id or count how many events each viewer id has or how many distinct viewer ids between those dates?

Which dates do you want to compare against?

Which increments/decrements are you trying to discover?

0 Karma
Reply

EvansB
Path Finder
‎02-04-2022 06:38 AM

Thanks for the quick turnaround,

I'm hoping to perform 2 tasks
1. Add up the values of viewer.id, and how many distinct viewer ids between those dates?

2. I want to get the count of the total "viewer_id" for the past week against this week and compare if there were more viewers or less.
I also want to get this result not only as a count but also convert (more viewers or less total count) to percentage.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-05-2022 08:44 AM

It is still not clear what you are trying to do - your viewerId is not a number which can be added, it is a string of characters. You can however count the distinct values of viewerId or count how many times each viewerId occurs in your time period

| stats dc(properties.request.viewerId)

| stats count by properties.request.viewerId
0 Karma
Reply

EvansB
Path Finder
‎02-05-2022 09:08 AM

You're correct,
I want to get a count of total viewerId that occurs in my time period(past week) and compare it with another time period(this week) to see possible increase or decrease of all viewerId. 
Also, I want to convert this result into percentage.
Thank you.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-05-2022 09:14 AM 
| bin span=1w _time
| stats dc(properties.request.viewerId) by _time
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-05-2022 09:34 AM 
| bin span=1w _time
| stats dc(properties.request.viewerId) as count by _time
| autoregress count as previous
| eval diff=previous-count
| eval percent=100*diff/count
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...