topic How to get delta from more than one field in Splunk Search

How to get delta from more than one field

splunkrocks2014 — Tue, 29 Sep 2020 20:21:02 GMT

The following is a list of items per date from different counts. How can I get the delta from count_a, count_b, and count_c based on the same item compared to the previous date? Thanks.

| makeresults | eval item="item 1", count_a=12, count_b=23, count_c=50, date="07/06/2018"
| append [| makeresults | eval item="item 1", count_a=3, count_b=123, count_c=41, date="07/05/2018"]
| append [| makeresults | eval item="item 1", count_a=31, count_b=13, count_c=21, date="07/04/2018"]
| append [| makeresults | eval item="item 2", count_a=1, count_b=42, count_c=12, date="07/04/2018"]
| append [| makeresults | eval item="item 2", count_a=21, count_b=142, count_c=122, date="07/05/2018"]
| table date item count_a count_b count_c

Re: How to get delta from more than one field

somesoni2 — Fri, 06 Jul 2018 21:05:07 GMT

Give this a try

your current search with date coming in reverse chronological order (descending order of dates)
| streamstats values(count_*) as prev_* by item
| foreach count_* [| eval delta_<<MATCHSTR>>=abs(prev_<<MATCHSTR>>-count_<<MATCHSTR>>)]

Re: How to get delta from more than one field

splunkrocks2014 — Mon, 09 Jul 2018 15:12:03 GMT

it doesn't seem working. I can use "delta" command, but the "delta" command only apply one field. For example,

| makeresults | eval item="item 1", count_a=12, count_b=23, count_c=50, date="07/06/2018"
 | append [| makeresults | eval item="item 1", count_a=3, count_b=123, count_c=41, date="07/05/2018"]
 | append [| makeresults | eval item="item 1", count_a=31, count_b=13, count_c=21, date="07/04/2018"]
 | table date item count_a count_b count_c
 | sort - date
 | delta count_a
 | append [| makeresults | eval item="item 1", count_a=12, count_b=23, count_c=50, date="07/06/2018"
 | append [| makeresults | eval item="item 1", count_a=3, count_b=123, count_c=41, date="07/05/2018"]
 | append [| makeresults | eval item="item 1", count_a=31, count_b=13, count_c=21, date="07/04/2018"]
 | table date item count_a count_b count_c
 | sort - date
 | delta count_b]
 | append [| makeresults | eval item="item 1", count_a=12, count_b=23, count_c=50, date="07/06/2018"
 | append [| makeresults | eval item="item 1", count_a=3, count_b=123, count_c=41, date="07/05/2018"]
 | append [| makeresults | eval item="item 1", count_a=31, count_b=13, count_c=21, date="07/04/2018"]
 | table date item count_a count_b count_c
 | sort - date
 | delta count_c]

Re: How to get delta from more than one field

woodcock — Fri, 13 Jul 2018 03:10:01 GMT

Like this:

| makeresults | eval item="item 1", count_a=12, count_b=23, count_c=50, date="07/06/2018"
| append [| makeresults | eval item="item 1", count_a=3, count_b=123, count_c=41, date="07/05/2018"]
| append [| makeresults | eval item="item 1", count_a=31, count_b=13, count_c=21, date="07/04/2018"]
| append [| makeresults | eval item="item 2", count_a=1, count_b=42, count_c=12, date="07/04/2018"]
| append [| makeresults | eval item="item 2", count_a=21, count_b=142, count_c=122, date="07/05/2018"]
| table date item count_a count_b count_c
| eval _time = strptime(date, "%m/%d/%Y")
| sort 0 _time
| streamstats current=f last(count*) AS prev_count* BY item
| foreach count* [ eval diff<<MATCHSTR>> = <<FIELD>> - prev_count<<MATCHSTR>> ]