Solved: How to generate a search to find delta between tot...

feickertmd · ‎05-30-2017

I have a log for a documents database. It gives me a daily report of total documents in each collection (each collection and total is one event in the log).

The powers have asked that I show how many documents were added each day for yesterday's and today's totals. So basically, I need to gather and compute the following:

-2d@d -> collection=master doccount=1000
-1d@d -> collection=master doccount=1200 delta=200
@d -> -> collection=master doccount=1500 delta=300

and I need to do this per collection for about 50 collections.

I'm playing with some pretty complex evals, but I hope there is a simpler way

micahkemp · ‎05-30-2017

Check out streamstats, which does allow a BY clause (to satisfy your per collection requirement).

And a (potentially correct/working) run-anywhere example:

index=_internal idx=* b=*
| bin span=1d _time
| stats sum(b) AS bytes BY _time idx
| streamstats current=f last(bytes) AS last_bytes BY idx
| eval delta=if(isnotnull(last_bytes), bytes-last_bytes, "N/A")

View solution in original post

micahkemp · ‎05-30-2017

Check out streamstats, which does allow a BY clause (to satisfy your per collection requirement).

And a (potentially correct/working) run-anywhere example:

index=_internal idx=* b=*
| bin span=1d _time
| stats sum(b) AS bytes BY _time idx
| streamstats current=f last(bytes) AS last_bytes BY idx
| eval delta=if(isnotnull(last_bytes), bytes-last_bytes, "N/A")

feickertmd · ‎05-30-2017

I hereby announce my undying love for you and your queries!

Thanks a bunch.

How to generate a search to find delta between totals from yesterday and today?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!