Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to search the percentage change between multip...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jihape
Path Finder
11-09-2015
09:39 PM
So I loaded some old stock market data into Splunk and now I'm trying to make a big table that shows the percentage change from 1 week ago, 1 month ago etc.
What I want to end up with is something like this:
** symbol | 1w change | 1m change **
SPY | 5% | 10%
SPLK | 3% | 15%
All events have the fields like this:
Adj Close = 210.039993
Close = 210.039993
Date = 2015-11-06
High = 210.320007
Low = 208.460007
Open = 209.740005
Volume = 105423100
category = Large Blend
index = quote
name = SPDR S&P 500 ETF
sourcetype = his_quote
symbol = SPY
Is it possible to do what I want to? I have not been able to get close to what I want.
I tried to do something like this (pseudo code), but it is not working for me.
search get all quote data | save latest as close_now
| subsearch [ search earliest=-1w | save latest as close_1w_ago
| eval diff_pct=(close_now-close_1w_ago)/close_1w_ago*100
| table symbol diff_pct as "1w change"
Any help would be appreciated
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jihape
Path Finder
11-12-2015
07:16 PM
I figured it out.
index=quote earliest=-1w latest=now | stats earliest(Close) as e_close latest(Close) as l_close by symbol | eval 1w=(l_close-e_close)/e_close*100
| appendcols [ search index=quote earliest=-2w latest=now | stats earliest(Close) as e_close latest(Close) as l_close by symbol | eval 2w=(l_close-e_close)/e_close*100 ]
| fields symbol 1w 2w
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jihape
Path Finder
11-12-2015
07:16 PM
I figured it out.
index=quote earliest=-1w latest=now | stats earliest(Close) as e_close latest(Close) as l_close by symbol | eval 1w=(l_close-e_close)/e_close*100
| appendcols [ search index=quote earliest=-2w latest=now | stats earliest(Close) as e_close latest(Close) as l_close by symbol | eval 2w=(l_close-e_close)/e_close*100 ]
| fields symbol 1w 2w
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
11-10-2015
09:03 AM
Have you looked at appendcols?
http://docs.splunk.com/Documentation/Splunk/6.3.1/SearchReference/Appendcols
Get Updates on the Splunk Community!
Introducing the 2024 SplunkTrust!
Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!
The ...
Introducing the 2024 Splunk MVPs!
We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...
Splunk Custom Visualizations App End of Life
The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...
