Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

chart count for comparison

selvam_sekar
Path Finder
‎01-24-2024 05:17 AM

Hi,

I have the below SPL and I am not able to get the expected results. Please could you help?

if i use stats count by - then i'm not getting the expected result as below.

SPL:

basesearch earliest=@d latest=now
| append
[ search earliest=-1d@d latest=-1d]
| eval Consumer = case(match(File_Name,"^ABC"), "Down", match(File_Name,"^csd"),"UP", match(File_Name,"^CSD"),"UP",1==1,"Others")
| eval Day=if(_time<relative_time(now(),"@d"),"Yesterday","Today")
| eval percentage_variance=abs(round(((Yesterday-Today)/Yesterday)*100,2))
| table Name Consumer Today Yesterday percentage_variance

Expected Result:

NameConsumerTodayYesterdaypercentage_variance
TENUP10100.0%
Labels (4)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-24-2024 05:50 AM

Assuming these are counts, you need to get values for Today and Yesterday into the same event in the pipeline. Try something like this

basesearch earliest=@d latest=now
| append
[ search earliest=-1d@d latest=-1d]
| eval Consumer = case(match(File_Name,"^ABC"), "Down", match(File_Name,"^csd"),"UP", match(File_Name,"^CSD"),"UP",1==1,"Others")
| eval Day=if(_time<relative_time(now(),"@d"),"Yesterday","Today")
| stats count by Name Consumer Day
| eval {Day}=count
| fields - Day
| stats values(Today) as Today values(Yesterday) as Yesterday by Name Consumer
| eval percentage_variance=abs(round(((Yesterday-Today)/Yesterday)*100,2))
| table Name Consumer Today Yesterday percentage_variance

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-24-2024 05:50 AM

Assuming these are counts, you need to get values for Today and Yesterday into the same event in the pipeline. Try something like this

basesearch earliest=@d latest=now
| append
[ search earliest=-1d@d latest=-1d]
| eval Consumer = case(match(File_Name,"^ABC"), "Down", match(File_Name,"^csd"),"UP", match(File_Name,"^CSD"),"UP",1==1,"Others")
| eval Day=if(_time<relative_time(now(),"@d"),"Yesterday","Today")
| stats count by Name Consumer Day
| eval {Day}=count
| fields - Day
| stats values(Today) as Today values(Yesterday) as Yesterday by Name Consumer
| eval percentage_variance=abs(round(((Yesterday-Today)/Yesterday)*100,2))
| table Name Consumer Today Yesterday percentage_variance
0 Karma
Reply
Solved! Jump to solution

selvam_sekar
Path Finder
‎01-24-2024 06:27 AM

Many Thanks @ITWhisperer . In this SPL Logic how do we ignore the weekend dataand bring only the last working day count for yesterday ? is it possible ?

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-24-2024 10:05 AM

Change this line so that it takes into account what the previous day is

[ search earliest=-1d@d latest=-1d]
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...