Splunk Search

How to generate a search to display day over day comparison?

ryanprayacn
Explorer
Date    Val Change?
4/13    60            no        
4/12    60          no
4/11    60          yes
4/10    50          no
4/9     50          no

Assuming you have Date and Value, what is the best way to accomplish the Change column? I've seen the TIMEWRAP command, but that seems to be for timechart. I just need the Change column.

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Try like this

your current search giving fields Date and Val
| sort 0 Date 
| delta Val as Change | eval Change=if(isnull(Change) OR Change=0,"no","yes")
| sort 0 -Date

View solution in original post

ryanprayacn
Explorer

Thanks. Are you able to do something similar for string comparisons? For example, assume you have Date and Value columns, but want the Change, Old Value, and New Value.

Date Value Change Old Value New Value
4/13 xyz no

4/12 xyz no
4/11 xyz yes abc xyz
4/10 abc no
4/9 abc no

0 Karma

somesoni2
SplunkTrust
SplunkTrust

The delta command works for numeric values. So if you want to compare a string field, you would need to use streamstats command, like this( assuming the Val field now contains string)

your current search giving fields Date and Val
 | sort 0 Date 
 | streamstats current=f window=1 values(Val) as Change | eval Change=if(isnull(Change) OR Change=Val,"no","yes")
 | sort 0 -Date 
0 Karma

ryanprayacn
Explorer

Thanks this works. If you wanted to show the Old Value also, would you just use the where command Change="yes" and how would you show Old Value (yesterday's value) on the same line?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

To retain the old values, we need to use a different field name in streamstats (and where clause). Like this

 your current search giving fields Date and Val
  | sort 0 Date 
  | streamstats current=f window=1 values(Val) as OldVal | eval Change=if(isnull(OldVal) OR OldVal=Val,"no","yes")
  | sort 0 -Date | fillnull value="Not Applicable" OldVal
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try like this

your current search giving fields Date and Val
| sort 0 Date 
| delta Val as Change | eval Change=if(isnull(Change) OR Change=0,"no","yes")
| sort 0 -Date
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...