Re: How to find the difference from the previous d...

splunkrocks2014 · ‎04-20-2018

Hi.

How to use Splunk query to compare to the "count" field from previous day from a lookup table? For instance, the lookup table has fields:

date             item            count
-------         -------         ---------
04/20/2018        box              12
04/19/2018        box              20
The end result looks like:
    date             item            count      diff
    -------         -------         ---------   ------
    04/20/2018        box              12        -8

Thanks.

elliotproebstel · ‎04-20-2018

The delta command is what you'll be using, but with your source events sorted in reverse-chronological order (as they are above), it will put your diff value on the wrong line. So try this:

your current search that gives  you the first table
| reverse
| delta count AS diff

Here are the docs on delta:
http://docs.splunk.com/Documentation/Splunk/7.0.3/SearchReference/Delta

splunkrocks2014 · ‎04-21-2018

Thanks elliotproebstel. This is what I am looking for. I have another question: between "reverse" and "delta" subsearch, how can I loop through a lookup table and calculate the diff only matched to the lookup? Thanks.

elliotproebstel · ‎04-21-2018

That will be pretty easy, but to help you structure the query, can you tell me what field in your current search you'll be looking to match and the name of the column/field in the lookup table that you're matching to?

How to find the difference from the previous day in a lookup table?

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk