https://community.splunk.com/t5/Splunk-Search/Delta-on-serveral-fields-separate-by-id/m-p/68793#M17268 <P>correct url : <A href="https://answers.splunk.com/answers/47037/delta-then-sum-then-graph-from-multiple-hosts.html">https://answers.splunk.com/answers/47037/delta-then-sum-then-graph-from-multiple-hosts.html</A></P> Tue, 11 Apr 2017 09:26:37 GMT maraman_splunk 2017-04-11T09:26:37Z https://community.splunk.com/t5/Splunk-Search/Delta-on-serveral-fields-separate-by-id/m-p/68783#M17258 <P>I have multiple events like :</P> <P>field 1; otherTimestamp; field2;field3;field4 <BR /> test;1371481920.000000,value2,valeu3... <BR /> test,1371481980.000000,value4,value5... <BR /> otherttest,1371481920.000000,value...</P> <P>I want to compute a delta on the othertimestamp field, but the delta should be 0, if the field1 changed... I also want to see all other fields for each event.</P> <P>I tried to use delta, but I couldn't make delta begin at 0, on field1 changed...</P> <P>I've tried to put a | transaction field1 | in front of the delta, but then all the lines are in a single event, and I'd like distinct events...</P> <P>Can I do it with streamstats somehow ? what is the best way</P> <P><IMG src="http://" alt="alt text" /></P> Wed, 19 Jun 2013 16:49:05 GMT https://community.splunk.com/t5/Splunk-Search/Delta-on-serveral-fields-separate-by-id/m-p/68783#M17258 sbsbb 2013-06-19T16:49:05Z https://community.splunk.com/t5/Splunk-Search/Delta-on-serveral-fields-separate-by-id/m-p/68784#M17259 <P>Did you see this? <A href="http://splunk-base.splunk.com/answers/47037/delta-then-sum-then-graph-from-multiple-hosts">http://splunk-base.splunk.com/answers/47037/delta-then-sum-then-graph-from-multiple-hosts</A></P> <P>It shows how to create a delta split by certain fields using streamstats.</P> Wed, 19 Jun 2013 17:02:50 GMT https://community.splunk.com/t5/Splunk-Search/Delta-on-serveral-fields-separate-by-id/m-p/68784#M17259 Ayn 2013-06-19T17:02:50Z https://community.splunk.com/t5/Splunk-Search/Delta-on-serveral-fields-separate-by-id/m-p/68785#M17260 <P>Yes but in all examples, it is always grouping things...<BR /> I want only to compute the delta when event have the same ID_fields, but I need to see all the events...</P> Wed, 19 Jun 2013 17:32:34 GMT https://community.splunk.com/t5/Splunk-Search/Delta-on-serveral-fields-separate-by-id/m-p/68785#M17260 sbsbb 2013-06-19T17:32:34Z https://community.splunk.com/t5/Splunk-Search/Delta-on-serveral-fields-separate-by-id/m-p/68786#M17261 <P>well "same ID_fields" &lt;-- that's grouping, no? <CODE>streamstats ... by yourfield</CODE></P> Wed, 19 Jun 2013 17:56:27 GMT https://community.splunk.com/t5/Splunk-Search/Delta-on-serveral-fields-separate-by-id/m-p/68786#M17261 Ayn 2013-06-19T17:56:27Z https://community.splunk.com/t5/Splunk-Search/Delta-on-serveral-fields-separate-by-id/m-p/68787#M17262 <P>ok, but there are other fields that are different on each event... see example value2, value4, if I make a group by the id_field, I'm also loosing all other fields ?</P> Wed, 19 Jun 2013 18:14:36 GMT https://community.splunk.com/t5/Splunk-Search/Delta-on-serveral-fields-separate-by-id/m-p/68787#M17262 sbsbb 2013-06-19T18:14:36Z https://community.splunk.com/t5/Splunk-Search/Delta-on-serveral-fields-separate-by-id/m-p/68788#M17263 <P>No. <CODE>streamstats</CODE> does not remove any fields, it just writes a couple more to each event.</P> Wed, 19 Jun 2013 18:17:30 GMT https://community.splunk.com/t5/Splunk-Search/Delta-on-serveral-fields-separate-by-id/m-p/68788#M17263 Ayn 2013-06-19T18:17:30Z https://community.splunk.com/t5/Splunk-Search/Delta-on-serveral-fields-separate-by-id/m-p/68789#M17264 <P>Could you post me an example, on how to do it, according to this example ?<BR /> ( making a delta on one field, and only displaying the others)</P> Mon, 24 Jun 2013 22:41:47 GMT https://community.splunk.com/t5/Splunk-Search/Delta-on-serveral-fields-separate-by-id/m-p/68789#M17264 sbsbb 2013-06-24T22:41:47Z https://community.splunk.com/t5/Splunk-Search/Delta-on-serveral-fields-separate-by-id/m-p/68790#M17265 <P>Something like this:</P> <PRE><CODE>... | streamstats window=2 current=t global=f earliest(otherTimestamp) as curr, latest(otherTimestamp) as next by field1 | eval delta=next-curr </CODE></PRE> Tue, 25 Jun 2013 06:13:10 GMT https://community.splunk.com/t5/Splunk-Search/Delta-on-serveral-fields-separate-by-id/m-p/68790#M17265 Ayn 2013-06-25T06:13:10Z https://community.splunk.com/t5/Splunk-Search/Delta-on-serveral-fields-separate-by-id/m-p/68791#M17266 <P>Thank you, but how can I display all the fields from current ?</P> Tue, 25 Jun 2013 13:45:32 GMT https://community.splunk.com/t5/Splunk-Search/Delta-on-serveral-fields-separate-by-id/m-p/68791#M17266 sbsbb 2013-06-25T13:45:32Z https://community.splunk.com/t5/Splunk-Search/Delta-on-serveral-fields-separate-by-id/m-p/68792#M17267 <P>See <CODE>streamstats</CODE> docs. Remove window. I'm expecting you to do some work yourself here - I'm just giving you pointers on how to solve your problem.</P> Tue, 25 Jun 2013 14:24:01 GMT https://community.splunk.com/t5/Splunk-Search/Delta-on-serveral-fields-separate-by-id/m-p/68792#M17267 Ayn 2013-06-25T14:24:01Z https://community.splunk.com/t5/Splunk-Search/Delta-on-serveral-fields-separate-by-id/m-p/68793#M17268 <P>correct url : <A href="https://answers.splunk.com/answers/47037/delta-then-sum-then-graph-from-multiple-hosts.html">https://answers.splunk.com/answers/47037/delta-then-sum-then-graph-from-multiple-hosts.html</A></P> Tue, 11 Apr 2017 09:26:37 GMT https://community.splunk.com/t5/Splunk-Search/Delta-on-serveral-fields-separate-by-id/m-p/68793#M17268 maraman_splunk 2017-04-11T09:26:37Z