Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

eval/sum field

EvansB
Path Finder
‎02-03-2022 05:12 PM

Hi folks,
What query can I use to sum up my field "viewer.Id" to see how many viewers we have between 01/22/2022 and 02/02/2022. I would like to see the count of Increment/decrement from my results and also in % by comparing it with different dates.

Thanks
Evans

Labels (4)
Labels
Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-03-2022 08:41 PM

What do your events look like?

Do you want to add up the values of viewer.id or count how many events each viewer id has or how many distinct viewer ids between those dates?

Which dates do you want to compare against?

Which increments/decrements are you trying to discover?

0 Karma
Reply

EvansB
Path Finder
‎02-04-2022 06:38 AM

Thanks for the quick turnaround,

I'm hoping to perform 2 tasks
1. Add up the values of viewer.id, and how many distinct viewer ids between those dates?

2. I want to get the count of the total "viewer_id" for the past week against this week and compare if there were more viewers or less.
I also want to get this result not only as a count but also convert (more viewers or less total count) to percentage.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-05-2022 08:44 AM

It is still not clear what you are trying to do - your viewerId is not a number which can be added, it is a string of characters. You can however count the distinct values of viewerId or count how many times each viewerId occurs in your time period

| stats dc(properties.request.viewerId)

| stats count by properties.request.viewerId
0 Karma
Reply

EvansB
Path Finder
‎02-05-2022 09:08 AM

You're correct,
I want to get a count of total viewerId that occurs in my time period(past week) and compare it with another time period(this week) to see possible increase or decrease of all viewerId. 
Also, I want to convert this result into percentage.
Thank you.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-05-2022 09:14 AM 
| bin span=1w _time
| stats dc(properties.request.viewerId) by _time
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-05-2022 09:34 AM 
| bin span=1w _time
| stats dc(properties.request.viewerId) as count by _time
| autoregress count as previous
| eval diff=previous-count
| eval percent=100*diff/count
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...