About kakar

kakar · ‎05-03-2023

Thanks @gcusello, I'll consider the scheduling option. but the issue I have is the number of records for both months comes exactly the same (As per above query). I was thinking about timechat command, but in this I'll have two sets of top 10 pages name, one for March and another one for April, whereas if I use stats it will be one set of Pages name and each bar will compare the two months data as shown in my initial message above. I am also trying to sort below data that should show the high volume first.

kakar · ‎05-01-2023

Hi Splunkers, I have been using Splunk for a while and went through many proposed solutions in this community and found none to get what I want. This could be due to high volume of events I have for each month or I am doing something wrong. So, the challenge I face is that I have a field lets call it "Pages" and I want to compare the last two months customers visiting the top 10 most visited pages. I have used below query, but the number of events for both months shows the same: (Note: the example below covers the previous day and last day to save time while searching) Main search... | addinfo | eval timephase1=if(_time>=relative_time(info_max_time, "-2d@d"), "last_month", null()), timephase2=if(_time>=relative_time(info_max_time, "-1d@d"), "this_month", null()) | stats count(timephase1) as time1 count(timephase2) as time2 by Pages | sort -time1 | head 10 Any assistance will be appreciated!

kakar · ‎04-27-2023

Hi @PickleRick again, Many thanks for your responses. TO make make it simple, our requirements are to display the top most used 10 apps by MoM. As per my test the records would exceed around 700k -800k per month records. Appreciated mate!

kakar · ‎04-26-2023

@PickleRick Apologise for the late reply. The reason I need to sort is because the requirements are to extract the top 10 used apps and compare them with last two months MoM. Hence I use sort followed by | head =10. Thank you!

kakar · ‎04-11-2023

Thank you, For some reason I get the total for each app for each month differently, but Feb -2mon@mon data is nearly double the month of Mar -1mon@mon. Would you please advise if -2mon@mon is extracting Feb data only? | eval timephase1=if(_time>=relative_time(info_max_time, "-2mon@mon"), "last", null()), timephase2=if(_time>=relative_time(info_max_time, "-1mon@mon"), "this", null()) Many thanks!

kakar · ‎04-11-2023

Hi @dmarling , thanks for your solution. I am using the same logic by phasing two different times "Last_month" for the month of Feb and "This_month" for the month of Mar. The intention is to compare the two months performance. The problem I am facing with is The total number are the same for both months. It takes ages to complete they query. Below is the query: main search.... | addinfo | eval timephase1=if(_time>=relative_time(info_max_time, "-2mon@mon"), "last", null()), timephase2=if(_time>=relative_time(info_max_time, "-1mon@mon"), "this", null()), timephase = mvappend(timephase1, timephase2) | stats count(timephase1) as last_month count(timephase2) as this_month by apps | sort - this_month | head 10 Many thanks in advance!

kakar · ‎09-08-2020

Thank you very much for this post. It fixed an issue I was struggling for days to fix. Very easy to follow and can't miss anything.

Posts	7
Solutions	0
Karma Given	4
Karma Received	0
Member Since	‎03-04-2020

Online Status	Offline
Date Last Visited	‎05-09-2023 01:14 AM

How to store two time-ranges events and compare?

Re: How to store two time-ranges events and compar...

How to store two time-ranges events and compare?

Re: New field defined by time ranges

Re: New field defined by time ranges

Re: New field defined by time ranges

Re: New field defined by time ranges

Re: Is it possible to pass a token to a time picke...

Join the Conversation