Solved: Re: How to edit search so delta command does not r...

NaorPenso · ‎08-27-2014

Hi Everyone,
I have a need to create a delta between the count of id today to the count of id yesterday
search: search xyz| timechart count span=1d | sort - _time | delta count AS countdiff
example result:

    _time   count   countdiff
2014-08-26T00:00:00.000+0300    4   
2014-08-25T00:00:00.000+0300    1   -3
2014-08-24T00:00:00.000+0300    0   -1
2014-08-23T00:00:00.000+0300    0   0
2014-08-22T00:00:00.000+0300    0   0
2014-08-21T00:00:00.000+0300    0   0
2014-08-20T00:00:00.000+0300    0   0
2014-08-19T00:00:00.000+0300    0   0
2014-08-18T00:00:00.000+0300    0   0
2014-08-17T00:00:00.000+0300    0   0
2014-08-16T00:00:00.000+0300    0   0
2014-08-15T00:00:00.000+0300    0   0
2014-08-14T00:00:00.000+0300    0   0
2014-08-13T00:00:00.000+0300    0   0
2014-08-12T00:00:00.000+0300    1   1
2014-08-11T00:00:00.000+0300    0   -1

using delta i was able to create the diff between today and the day before but the delta function does yesterday-today and i need it today-yesterday.
Any thoughts?

norbert_hamel · ‎08-27-2014

Maybe you want to remove the | sort - _time, or put is behind the diff command.

search xyz| timechart span=1min count | delta count AS countdiff | sort - _time

Cheers
Norbert

View solution in original post

norbert_hamel · ‎08-27-2014

Maybe you want to remove the | sort - _time, or put is behind the diff command.

search xyz| timechart span=1min count | delta count AS countdiff | sort - _time

Cheers
Norbert

NaorPenso · ‎08-27-2014

Thank Norbert!
Delta before the diff did return positive values.
Thanks again,
Naor

DerekKing · ‎08-27-2014

Hi,

What about

search xyz| timechart count span=1d | reverse | delta count AS countdiff

Regards
Derek

How to edit search so delta command does not return negative results?

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!