https://community.splunk.com/t5/Knowledge-Management/Data-Field-Entries-Across-Different-Time-Spans-per-Entry/m-p/35051#M7092 <P>Thanks for the feedback. Great answer to my question, it certainly is "close enough" haha.</P> Wed, 15 Aug 2012 23:34:13 GMT mmedal 2012-08-15T23:34:13Z https://community.splunk.com/t5/Knowledge-Management/Data-Field-Entries-Across-Different-Time-Spans-per-Entry/m-p/35049#M7090 <P>I have a bunch of SAN usage data that I am inputting into Splunk that looks as follows, with each line representing an entry in Splunk:</P> <PRE><CODE>Group: diskdg1 Disks: 21 Disk in use: data04 Capacity: 1% Group: diskdg2 Disks: 21 Disk in use: data05 Capacity: 1% Group: diskdg3 Disks: 5 Disk in use: data01 Capacity: 33% Group: diskdg4 Disks: 34 Disk in use: data08 Capacity: 1% Group: diskdg5 Disks: 30 Disk in use: data07 Capacity: 1% Group: diskdg6 Disks: 38 Disk in use: data09 Capacity: 25% </CODE></PRE> <P>What I would like to do is display a table with these fields, plus a new field displaying a "change in capacity" since 7 days ago. In other words, I would like to evaluate the difference between the capacity field now and the capacity field for that entry 7 days ago.</P> <P>Can anyone assist me with a search?</P> <P>Thanks so much, Matt</P> Tue, 14 Aug 2012 22:57:36 GMT https://community.splunk.com/t5/Knowledge-Management/Data-Field-Entries-Across-Different-Time-Spans-per-Entry/m-p/35049#M7090 mmedal 2012-08-14T22:57:36Z https://community.splunk.com/t5/Knowledge-Management/Data-Field-Entries-Across-Different-Time-Spans-per-Entry/m-p/35050#M7091 <P>At first glance, the difference should be pretty easy - you can use the <CODE>delta</CODE> search command. But, <CODE>delta</CODE> lacks a <CODE>by</CODE> clause so you could only do one <CODE>Group</CODE> at a time - a bit of a limitation. But, I think you can use <CODE>streamstats</CODE> to roughly create a <CODE>delta</CODE> per-Group.</P> <P>Assuming that your data above has field extractions for <CODE>Group</CODE> and <CODE>Capacity</CODE> then a search like this should get you close:</P> <PRE><CODE>sourcetype=my_san_data | streamstats last(Capacity) as high first(Capacity) as low by Group window=7 global=f | eval delta=high-low | table _time,Group,Capacity,delta </CODE></PRE> <P>You may need to swap around high vs low just to get it to work out mathematically right. There is an assumption here that you are collecting this data once per day. The way this "should" work is <CODE>streamstats</CODE> will do a sliding window of 7 events per <CODE>Group</CODE> and use the first and last values of <CODE>Capacity</CODE> within each of those sliding windows to calculate a delta. </P> <P>Obviously a sliding window of 7 events is not necessarily <STRONG>strictly</STRONG> 7 days. It depends on you collecting exactly once per day, every day, without missing one. If you are collecting once per hour, then you can adjust <CODE>window</CODE> to be 168 instead.</P> <P>There are some more complicated ways of dealing with this like maintaining state in lookups, or time-oriented subsearches if you need a higher precision than a sliding window. But, unless your accuracy requirements are very very high, this should be "<A href="http://knowyourmeme.com/memes/close-enough">close enough</A>".</P> Wed, 15 Aug 2012 03:07:16 GMT https://community.splunk.com/t5/Knowledge-Management/Data-Field-Entries-Across-Different-Time-Spans-per-Entry/m-p/35050#M7091 dwaddle 2012-08-15T03:07:16Z https://community.splunk.com/t5/Knowledge-Management/Data-Field-Entries-Across-Different-Time-Spans-per-Entry/m-p/35051#M7092 <P>Thanks for the feedback. Great answer to my question, it certainly is "close enough" haha.</P> Wed, 15 Aug 2012 23:34:13 GMT https://community.splunk.com/t5/Knowledge-Management/Data-Field-Entries-Across-Different-Time-Spans-per-Entry/m-p/35051#M7092 mmedal 2012-08-15T23:34:13Z