Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Compare this month to last month results

hartfoml
Motivator
‎04-14-2014 01:08 PM

I can find the number of clients talking to my deployment server by client group name like this.

index=_internal hostname=* component="Metrics" group="ds_connections_default" | stats dc(hostname) by name | addcoltotals labelfield=name label=TOTAL

this might not be the fastest or most efficient method and if you know a better way please let me know.

I want to run this search for the last month and compare to the month before that so that I get a number of clients per client group name with "coltotal" added last month report.

Does that make sense???

any help would be appreciated.

Tags (2)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎04-14-2014 02:11 PM

Remember that by default your _internal index will only keep data for 30 days, so without storing summary data in another index you'd need to increase that to cover two months.

Reply

somesoni2
Revered Legend
‎04-14-2014 01:26 PM

Try this

index=_internal hostname=* component="Metrics" group="ds_connections_default" earliest=-2mon@mon latest=@mon| chart dc(hostname) by name,date_month | addcoltotals labelfield=name label=TOTAL
0 Karma
Reply

linu1988
Champion
‎04-15-2014 06:58 AM

that is why it needs to be in summary index where you store the result for each month rather running one 5 min query for the result from _internal logs. then you can mention month wise report.

0 Karma
Reply

hartfoml
Motivator
‎04-15-2014 05:58 AM

Thanks Timewrap is almost the answer I was looking for a difference (i.e 39 new clients were added last month)

Like this - Number of clients last months subtract number of clients two months ago equals number of clients added

Mar Clients 120
Feb Clients -110
New Clients 20
20 clients added last month

Seems simple enough I just cant figure out how to do it in one search or report query?

Thanks everyone for your help

0 Karma
Reply

MuS
Legend
‎04-15-2014 05:44 AM

go for timewrap this will do exactly what you need

0 Karma
Reply

hartfoml
Motivator
‎04-14-2014 02:21 PM

Thanks I see the different Columns using the chart command.

then I can subtract one column from the other.

I am looking at the small app called "Timewrap" this might work for me

http://apps.splunk.com/app/1645/

Reply

somesoni2
Revered Legend
‎04-14-2014 02:04 PM

If I am not wrong with this search, you'll get 3 columns, name, month1, month2 which mean you can compare the data for last month with a month before that. Trick is to specify proper time period using earliest and latest. [to compare current month and last month, use earliest=-1mon@mon latest=now]

0 Karma
Reply

hartfoml
Motivator
‎04-14-2014 01:34 PM

Thanks this is helping to get the previous two months of data. I still need to separate the two months and compare the results to see the change between months. the last month compered to this month type thing to get the difference. I guess it wasn't too clear. sorry...

Thanks again for the help 🙂

0 Karma
Reply

hartfoml
Motivator
‎04-14-2014 01:14 PM

thanks much I'll try to lookup how to do that

0 Karma
Reply

linu1988
Champion
‎04-14-2014 01:13 PM

summarize then run the comparison.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...