Splunk Search

How do I search the difference between the the sum of latest value from two consecutive days?

andra_pietraru
Path Finder

Right now, I am computing the latest value of a field per ID per each day and then I compute the sum of it. But I would like to see the difference between e.g. sum of day 2 - sum of day 1 as the range for day 2.

My search:

msgType=myMessage  | reverse |  bucket _time span=1d | stats last(myField) AS lastSeenValue by _time ID| timechart span=1d sum(lastSeenValue)

What I want to achieve is to find the range of field myField per day.
I tried using range(myField) but that will miss adding the last event of the previous day.
Any suggestions? Thanks!

1 Solution

woodcock
Esteemed Legend

Try this:

 msgType=myMessage  | reverse |  bucket _time span=1d | stats last(myField) AS lastSeenValue by _time ID | timechart span=1d sum(lastSeenValue) AS sumLastSeenValue | streamstats current=f  last(sumLastSeenValue ) AS prevSumLastSeenValue by ID | fillnull | eval delta = sumLastSeenValue - prevSumLastSeenValue

View solution in original post

woodcock
Esteemed Legend

Try this:

 msgType=myMessage  | reverse |  bucket _time span=1d | stats last(myField) AS lastSeenValue by _time ID | timechart span=1d sum(lastSeenValue) AS sumLastSeenValue | streamstats current=f  last(sumLastSeenValue ) AS prevSumLastSeenValue by ID | fillnull | eval delta = sumLastSeenValue - prevSumLastSeenValue

andra_pietraru
Path Finder

Worked like a charm. Thanks!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...