- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Comparing current hour to previous day's hour.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Comparing current hour to previous day's hour.
index=XYZ trunkgroup| stats count(_raw) as Total_Calls, count(eval(Sip_Resp=="200")) as Completed_Calls by OTG
| search Total_Calls>500 | eval Completion_Percentage= (Completed_Calls/Total_Calls * 100)|eval Completion_Percentage=round(Completion_Percentage,2)
Hello,
I have this simple query that provides total amount of calls, how many were completed, and the completion percentage.
I would like to add to this query where I compare it to the previous day at the same hour.
I would like this query to be dynamic where it is always comparing the previous day's hour.
What can I append to this search query that will show me the data yesterday at the same hour?
Any help would be greatly appreciated!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try this:
this evaluates the count on the delivered _audit index for today's current hour vs yesterday's current hour.If this is what you need, merely replace your index etc. the stuff from timechart onwards remains the same
index="_audit" |timechart span=1h count | timewrap 1day|eval flg=strftime(now(),"%H")|eval mrkr=strftime(_time,"%H")|where mrkr=flg
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi @philgopaul - Did this resolve your issue?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, this is not helpful. Cannot get query to work with that suggestion
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I cannot get that query to work w/ timechart command. I prefer to use stats command.
I am still not understanding how to compare data to previous hour.
I have this query which is similar to original post.
index=XYZ |stats count(_raw) as Total,
count(eval(txnStatus=="ok")) as
Success,
count(eval(txnStatus=="cc_fail")) as
"Failed" |eval Comp_Percentage=
(Success/Total * 100)|eval
Comp_Percentage=round(Comp_Percentage,2)
How do I add a count to that query where I am looking at previous day at the same hour?
Thanks for any guidance you can provide.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
