Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

subtract previous results with current result

kpavan
Path Finder
‎09-19-2016 04:21 AM

Hi All,

I have a result which shows the total user directory count for every 1hr, but I want to how many user got created in last hour. Below is the current result which is showing entire user count,

2016-19-09 11:00:03 1920117
2016-19-09 10:00:03 1919999
2016-19-09 09:00:03 1919891
2016-19-09 08:00:03 1919769
2016-19-09 07:00:03 1919657
2016-19-09 06:00:03 1919571

Consider opening value 1919571, after 1hr 86 user account got created then my next hour count is 1919657, but I want to add one more column stating that 86 user created in last 1hr OR is it possible to subtract the previous value with current value. So that i can show management that for each date N number of users created.

Please help me with query which will show me the result of count for each hour

Thanks!

Reply
1 Solution
Solved! Jump to solution
Solution

inventsekar
SplunkTrust
SplunkTrust
‎09-19-2016 04:33 AM

tested and working fine.. 

sourcetype=usercount | rex field=_raw "(?<userCount>\d{7})" | streamstats current=f window=1 global=f last(userCount) as PreviousCount | eval Change=PreviousCount-userCount | table _time userCount Change

autoregress also working fine.. tested and good ... 

sourcetype=usercount | rex field=_raw "(?<userCount>\d{7})" | autoregress userCount p=1 | eval UserChange=userCount_p1-userCount | table _time userCount UserChange

alt text

View solution in original post

Preview file
1 KB
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎09-19-2016 05:45 AM

There are many ways to do this but the most straightforward is to use the delta command:
https://docs.splunk.com/Documentation/Splunk/6.4.3/SearchReference/Delta

0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎09-19-2016 06:04 AM

Thanks Woodcock Sir.. on your previous post on this same topic, I learnt the autoregress and now Delta!

Reply
Solved! Jump to solution
Solution

inventsekar
SplunkTrust
SplunkTrust
‎09-19-2016 04:33 AM

tested and working fine.. 

sourcetype=usercount | rex field=_raw "(?<userCount>\d{7})" | streamstats current=f window=1 global=f last(userCount) as PreviousCount | eval Change=PreviousCount-userCount | table _time userCount Change

autoregress also working fine.. tested and good ... 

sourcetype=usercount | rex field=_raw "(?<userCount>\d{7})" | autoregress userCount p=1 | eval UserChange=userCount_p1-userCount | table _time userCount UserChange

alt text

Preview file
1 KB
Reply
Solved! Jump to solution

kpavan
Path Finder
‎09-19-2016 05:51 AM

Its working... Thanks much inventsekar!

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...