Splunk Search

Trying to get the value of a field for the previous month

jvmerilla
Path Finder

Hi,

I'm working with an old data where I need to get the value of a field for the 'supposed' previous month.

Here's my query:

 index="sample_data" sourcetype="management_sampledata.csv" "Ticket Type"=* Priority=* Ticket_No=* 
    | eval _time = strptime(Date, "%m/%d/%y")
    | timechart span=1mon count(eval(Status="Closed")) as Closed/Cancelled, count as Inflow
    | eval Backlog_Total = Inflow - 'Closed/Cancelled'

And here's the result:

alt text

What I'm trying to do is to get the value of Backlog_Total of the supposed previous month which is '2017-05'.
How would I be able to do it? And also it needs to be dynamic.

I hope you can help me with this.

Thank you.

Tags (3)
0 Karma

HiroshiSatoh
Champion

You can get the difference from the previous event with "delta".

 index="sample_data" sourcetype="management_sampledata.csv" "Ticket Type"=* Priority=* Ticket_No=* 
     | eval _time = strptime(Date, "%m/%d/%y")
     | timechart span=1mon count(eval(Status="Closed")) as Closed/Cancelled, count as Inflow
     | eval Backlog_Total = Inflow - 'Closed/Cancelled'
     | delta Backlog_Total as previous_month_Backlog_Total 
     | eval previous_month_Backlog_Total=Backlog_Total - previous_month_Backlog_Total
0 Karma

jvmerilla
Path Finder

Hi @HiroshiSatoh,

I tried it but it doesn't work the way I want it.
It does not get the exact value of the field. It only got 180 instead of 183.

0 Karma

HiroshiSatoh
Champion

I was wrong.

| eval previous_month_Backlog_Total=Backlog_Total + previous_month_Backlog_Total
| eval previous_month_Backlog_Total=Backlog_Total - previous_month_Backlog_Total

delta gets the difference. 180 is the difference.
363-183=180

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...