Solved: How to generate a search to find delta between tot...

feickertmd · ‎05-30-2017

I have a log for a documents database. It gives me a daily report of total documents in each collection (each collection and total is one event in the log).

The powers have asked that I show how many documents were added each day for yesterday's and today's totals. So basically, I need to gather and compute the following:

-2d@d -> collection=master doccount=1000
-1d@d -> collection=master doccount=1200 delta=200
@d -> -> collection=master doccount=1500 delta=300

and I need to do this per collection for about 50 collections.

I'm playing with some pretty complex evals, but I hope there is a simpler way

micahkemp · ‎05-30-2017

Check out streamstats, which does allow a BY clause (to satisfy your per collection requirement).

And a (potentially correct/working) run-anywhere example:

index=_internal idx=* b=*
| bin span=1d _time
| stats sum(b) AS bytes BY _time idx
| streamstats current=f last(bytes) AS last_bytes BY idx
| eval delta=if(isnotnull(last_bytes), bytes-last_bytes, "N/A")

View solution in original post

micahkemp · ‎05-30-2017

Check out streamstats, which does allow a BY clause (to satisfy your per collection requirement).

And a (potentially correct/working) run-anywhere example:

index=_internal idx=* b=*
| bin span=1d _time
| stats sum(b) AS bytes BY _time idx
| streamstats current=f last(bytes) AS last_bytes BY idx
| eval delta=if(isnotnull(last_bytes), bytes-last_bytes, "N/A")

feickertmd · ‎05-30-2017

I hereby announce my undying love for you and your queries!

Thanks a bunch.

How to generate a search to find delta between totals from yesterday and today?

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!