How can I count the difference from two days?

jfriedrich · ‎09-21-2017

Hi Splunk colleagues,

I need the following output:
Day 1 difference to Day2 = + or - in counts to see the trend of errormessages.

It is a multitude of times in the timerange to select and then by eye to compare the numbers...

My Search for today is following:

    * | chart count by sourcetype, ERRORCODE | sort -count

Day 1: (for example today)

sourcetype  ERRORCODE2  ERRORCODE2  ERRORCODE3
WIN32   0   0   138
UNIX    0   0      60
AUTO    0   0     844
LDAP    0   24   703

Day 2:

sourcetype  ERRORCODE2  ERRORCODE2  ERRORCODE3
WIN32   5   0   138
UNIX    0   0      60
AUTO    0   8      0
LDAP    1   24  100

oda · ‎09-24-2017

Is the error code correct?
You can make it if you have decided.

| eval test=sourcetype+"__"+ERRORCODE | bucket _time span=1d | chart count by _time,test | sort -count | delta | delta …

Try it!

somesoni2 · ‎09-21-2017

Can you post expected output based on the sample data you posted in question?

jfriedrich · ‎09-21-2017

I am open for suggestions maybe the result can be:
math: (day1count - day2count) = daycountdifference

day1count: 15
day2count: 20
daycountdifference: -5