Trying to get the value of a field for the previou...

jvmerilla · ‎12-06-2017

Hi,

I'm working with an old data where I need to get the value of a field for the 'supposed' previous month.

Here's my query:

 index="sample_data" sourcetype="management_sampledata.csv" "Ticket Type"=* Priority=* Ticket_No=* 
    | eval _time = strptime(Date, "%m/%d/%y")
    | timechart span=1mon count(eval(Status="Closed")) as Closed/Cancelled, count as Inflow
    | eval Backlog_Total = Inflow - 'Closed/Cancelled'

And here's the result:

What I'm trying to do is to get the value of Backlog_Total of the supposed previous month which is '2017-05'.
How would I be able to do it? And also it needs to be dynamic.

I hope you can help me with this.

Thank you.

HiroshiSatoh · ‎12-06-2017

You can get the difference from the previous event with "delta".

 index="sample_data" sourcetype="management_sampledata.csv" "Ticket Type"=* Priority=* Ticket_No=* 
     | eval _time = strptime(Date, "%m/%d/%y")
     | timechart span=1mon count(eval(Status="Closed")) as Closed/Cancelled, count as Inflow
     | eval Backlog_Total = Inflow - 'Closed/Cancelled'
     | delta Backlog_Total as previous_month_Backlog_Total 
     | eval previous_month_Backlog_Total=Backlog_Total - previous_month_Backlog_Total

jvmerilla · ‎12-06-2017

Hi @HiroshiSatoh,

I tried it but it doesn't work the way I want it.
It does not get the exact value of the field. It only got 180 instead of 183.

HiroshiSatoh · ‎12-06-2017

I was wrong.

| eval previous_month_Backlog_Total=Backlog_Total + previous_month_Backlog_Total
| eval previous_month_Backlog_Total=Backlog_Total - previous_month_Backlog_Total

delta gets the difference. 180 is the difference.
363-183=180

Trying to get the value of a field for the previous month

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?