Splunk Search

How to compare the hourly count of events for a particular event and show what is the difference?

vrmandadi
Builder

I am trying to  create a search  which will give the difference in count for a field called "id" and show what are those different values for that field "id".

For instance if the current hour count for id is 900 and previous hour count is 830 ...I want to see the difference as 70 and show what are those 70 different id's .Currently I am able to get the difference using below search

index="netbox_test"
| rename "results{}.id" as "id"
| timechart span=1h count(id) as total
| delta total as difference

 

Thanks in Advance

Labels (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| bin _time span=1h
| stats dc(_time) as hours min(_time) as _time by id
| where hours = 1
| stats values(id) as ids by _time

Ids in the earlier hour are missing from the later hour and ids in the later hour are new to the later hour.

0 Karma

vrmandadi
Builder

Thank You ...Let me check this and get back to you

0 Karma

PickleRick
Ultra Champion

If the difference in id count between two hour-long periods is 70 doesn't mean that it's only 70 ids that differ. Example - in one hour you have ids of 1,2,3 in next - 4,5. The count difference is 1 but all the ids are different.

Either you're assuming too much or there are additional unmentioned conditions.

0 Karma

vrmandadi
Builder

To be more clear I am pulling netbox data into Splunk...so there are 900 devices in netbox...sometimes these 900 devices might be turned off or removed or added...So when these changes occur the count differs...I want to see what is the difference when compared hourly...I  was able to find the difference every hour by using the delta..but I want to know what are those different devices for that particular hour..like comparing current hour with previous hour and show the count difference and what is different.

 

Example:

Previous Hour:  1 , 2 ,3

Current Hour : 2,3,4,5,6

Difference Count :2

ID's different : 1,4,5,6

0 Karma

PickleRick
Ultra Champion

So you see for yourself that simply counting is not a reliable way of noticing that the sets are different. If you had 1,2,3,4 during one hour and 3,4,6,9 next hour, you'd miss that 1,2 turned into 6,9.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...