Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Compare this month to last month results

hartfoml
Motivator
‎04-14-2014 01:08 PM

I can find the number of clients talking to my deployment server by client group name like this.

index=_internal hostname=* component="Metrics" group="ds_connections_default" | stats dc(hostname) by name | addcoltotals labelfield=name label=TOTAL

this might not be the fastest or most efficient method and if you know a better way please let me know.

I want to run this search for the last month and compare to the month before that so that I get a number of clients per client group name with "coltotal" added last month report.

Does that make sense???

any help would be appreciated.

Tags (2)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎04-14-2014 02:11 PM

Remember that by default your _internal index will only keep data for 30 days, so without storing summary data in another index you'd need to increase that to cover two months.

Reply

somesoni2
Revered Legend
‎04-14-2014 01:26 PM

Try this

index=_internal hostname=* component="Metrics" group="ds_connections_default" earliest=-2mon@mon latest=@mon| chart dc(hostname) by name,date_month | addcoltotals labelfield=name label=TOTAL
0 Karma
Reply

linu1988
Champion
‎04-15-2014 06:58 AM

that is why it needs to be in summary index where you store the result for each month rather running one 5 min query for the result from _internal logs. then you can mention month wise report.

0 Karma
Reply

hartfoml
Motivator
‎04-15-2014 05:58 AM

Thanks Timewrap is almost the answer I was looking for a difference (i.e 39 new clients were added last month)

Like this - Number of clients last months subtract number of clients two months ago equals number of clients added

Mar Clients 120
Feb Clients -110
New Clients 20
20 clients added last month

Seems simple enough I just cant figure out how to do it in one search or report query?

Thanks everyone for your help

0 Karma
Reply

MuS
Legend
‎04-15-2014 05:44 AM

go for timewrap this will do exactly what you need

0 Karma
Reply

hartfoml
Motivator
‎04-14-2014 02:21 PM

Thanks I see the different Columns using the chart command.

then I can subtract one column from the other.

I am looking at the small app called "Timewrap" this might work for me

http://apps.splunk.com/app/1645/

Reply

somesoni2
Revered Legend
‎04-14-2014 02:04 PM

If I am not wrong with this search, you'll get 3 columns, name, month1, month2 which mean you can compare the data for last month with a month before that. Trick is to specify proper time period using earliest and latest. [to compare current month and last month, use earliest=-1mon@mon latest=now]

0 Karma
Reply

hartfoml
Motivator
‎04-14-2014 01:34 PM

Thanks this is helping to get the previous two months of data. I still need to separate the two months and compare the results to see the change between months. the last month compered to this month type thing to get the difference. I guess it wasn't too clear. sorry...

Thanks again for the help 🙂

0 Karma
Reply

hartfoml
Motivator
‎04-14-2014 01:14 PM

thanks much I'll try to lookup how to do that

0 Karma
Reply

linu1988
Champion
‎04-14-2014 01:13 PM

summarize then run the comparison.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...