Splunk Search

How do I compare search results from two different time periods?

ryangrobbel
Explorer

Hi,

I'm looking to do something like this:

Take a search, with three fields, one being a count (ExceptionClass, Class (these two fields are extracted from the same single event), count(Class) during a 10minute time period, take that same search to get data from 20m to 10m ago, and then compare the differences between the two results. Now, where I'm having issues is figuring out which function to use; set diff, append, or whatever

Basically, here's a similar scenario:

In a 10m to now search, you pull up all your http events and count each one. So, let's say, your first search comes with the counts below:

http 500 - 30
http 401 - 20
http - 200 - 50
http 201 - 50

Then, you take that same search from the earliest being 20m ago and the latest 10 min ago and get the counts below:

http 401 - 5
http 200 - 5
http 201 - 5

I want a table that outputs like this:

http 401 - 25
http 200 - 55
http 201 - 55

In this case, the second search didn't produce any http 500 codes so I want that result dropped off from my final output while the others that did appear, had their counts added together.

A rough search I have so far is:

index=dynatrace-exceptions set diff [search index=dynatrace-exceptions App=EDPPS1 earliest=-10m latest=now | stats count(Message) by ExceptionClass, Message] [search index=dynatrace-exceptions App=EDPPS1 earliest=-20m latest=-10m | stats count(Message) by ExceptionClass, Message] | table count(Message) by ExceptionClass, Message

Not even sure Splunk can do this, so any direction would be great!

Ryan

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Give this a try

index=dynatrace-exceptions App=EDPPS1 earliest=-20m latest=now
| eval period=if(_time>=relative_time(now(),"-10m"),"current","previous")
| eval commonfield=ExceptionClass."##".Message
| chart count(Message) over commonfield by period
| eval difference=previous-current
| rex field=commonfield "(?<ExceptionClass>[^#]+)##(?<Message>.+)"
| table Exception Class Message difference current previous

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Give this a try

index=dynatrace-exceptions App=EDPPS1 earliest=-20m latest=now
| eval period=if(_time>=relative_time(now(),"-10m"),"current","previous")
| eval commonfield=ExceptionClass."##".Message
| chart count(Message) over commonfield by period
| eval difference=previous-current
| rex field=commonfield "(?<ExceptionClass>[^#]+)##(?<Message>.+)"
| table Exception Class Message difference current previous

jawaharas
Motivator

Good one. Thanks.

0 Karma

ryangrobbel
Explorer

This worked! Never thought of doing it this way. Thank you!

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...