Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Calculate total count difference per day

Sfry1981
Communicator
‎04-29-2020 07:50 AM

I have a set of data like the below

total=2000
date=2020-04-29

total=1975
date=2020-04-28

total=1951
date=2020-04-27

What I want to produce is a chart that shows the difference per day of these totals i.e as per the below

total difference = 25
date=2020-04-29

total difference=24
date=2020-04-28

total=33
date=2020-04-27

etc

I need a calculation of the difference per day

my raw data already has the total and date in so its a straight calculation from that data

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎04-29-2020 08:00 AM

@Sfry1981

Can you please try this?

YOUR_SEARCH | eval t=strptime(date,"%Y-%m-%d") | sort t | streamstats window=2 first(total) as p | eval diff=total-p | table date total diff

Sample Search:

| makeresults | eval  total=2000, date="2020-04-29"
| append [ | makeresults | eval total=1975,date="2020-04-28"]
| append [ | makeresults | eval total=1951, date="2020-04-27"] | eval t=strptime(date,"%Y-%m-%d") | sort t | streamstats window=2 first(total) as p | eval diff=total-p | table date total diff

Just change search as per your requirement.

View solution in original post

Reply
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎04-29-2020 08:00 AM

@Sfry1981

Can you please try this?

YOUR_SEARCH | eval t=strptime(date,"%Y-%m-%d") | sort t | streamstats window=2 first(total) as p | eval diff=total-p | table date total diff

Sample Search:

| makeresults | eval  total=2000, date="2020-04-29"
| append [ | makeresults | eval total=1975,date="2020-04-28"]
| append [ | makeresults | eval total=1951, date="2020-04-27"] | eval t=strptime(date,"%Y-%m-%d") | sort t | streamstats window=2 first(total) as p | eval diff=total-p | table date total diff

Just change search as per your requirement.

Reply
Solved! Jump to solution

Sfry1981
Communicator
‎04-29-2020 08:11 AM

@kamlesh_vaghela

As the date was in a string format i removed "eval t=strptime(date,"%Y-%m-%d")" and then it worked. Thanks 🙂

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎04-29-2020 08:24 AM

cool @Sfry1981

Glad to help you

0 Karma
Reply
Solved! Jump to solution

Sfry1981
Communicator
‎04-29-2020 08:34 AM

@kamlesh_vaghela i have 1 issue. It shows all the previous figures as minus so it inverts the graphs but i want them to show as positives. I tried "| eval mynum=abs(mynum)" but this doesnt work. Do you know how to amend?

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎04-29-2020 09:54 PM

@Sfry1981

| eval mynum=abs(mynum) should work.

Try:
|makeresults count=10 | eval a=-1 | accum a |eval mynum=a | eval mynum=abs(mynum)

Can you please share your sample search and sample value you getting in mynum?

0 Karma
Reply
Solved! Jump to solution

Sfry1981
Communicator
‎04-30-2020 12:20 AM

sorry @kamlesh_vaghela It was my mistake, where i was charting i was using the incorrect value. School boy error. All working again. Thanks for all your help.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...