https://community.splunk.com/t5/Splunk-Search/Calculate-delta-for-corresponding-fields-base-on-time-grouped/m-p/163034#M46268 <P>Ah. Append this:</P> <PRE><CODE>... | eventstats sum(delta_field_1) by _time </CODE></PRE> Mon, 24 Feb 2014 22:44:35 GMT martin_mueller 2014-02-24T22:44:35Z https://community.splunk.com/t5/Splunk-Search/Calculate-delta-for-corresponding-fields-base-on-time-grouped/m-p/163029#M46263 <P>Need ideas on how to do field calculations based on 2 sets of transactions. Data file is as follows :</P> <P>Timestamp_1 field_1 field_2 field_3 field_4 id_1<BR /><BR /> Timestamp_1 field_1 field_2 field_3 field_4 id_2<BR /><BR /> Timestamp_1 field_1 field_2 field_3 field_4 id_3<BR /><BR /> Timestamp_1 field_1 field_2 field_3 field_4 id_4 </P> <P>Timestamp_2 field_1 field_2 field_3 field_4 id_1<BR /><BR /> Timestamp_2 field_1 field_2 field_3 field_4 id_2<BR /><BR /> Timestamp_2 field_1 field_2 field_3 field_4 id_3<BR /><BR /> Timestamp_2 field_1 field_2 field_3 field_4 id_4 </P> <P>Timestamp_3 field_1 field_2 field_3 field_4 id_1<BR /><BR /> Timestamp_3 field_1 field_2 field_3 field_4 id_2<BR /><BR /> Timestamp_3 field_1 field_2 field_3 field_4 id_3<BR /><BR /> Timestamp_3 field_1 field_2 field_3 field_4 id_4 </P> <P>Multiple events have same timestamp (Timestamp_1, Timestamp_2...) at regular intervals. Field_1 .. to Field_4 are cumulative from previous identical timestamped fields.<BR /><BR /> First part:<BR /><BR /> Need to calculate DELTA by comparing previous event for the same id_1, id_2 ..etc<BR /> Eg. need to calculate Delta as follows :<BR /><BR /> Timestamp2 Field_1 - Timestamp_1 field_1<BR /><BR /> Timestamp3 Field_1 - Timestamp_2 field_1 </P> <P>Second part:<BR /><BR /> Add the DELTAs for field_1, field_2... per time interval, so</P> <P>Timestamp_2 field-delta_1 field-delta_2 field-delta_3 field_4 id_1<BR /><BR /> Timestamp_2 field-delta_1 field-delta_2 field-delta_3 field_4 id_2<BR /><BR /> Timestamp_2 field-delta_1 field-delta_2 field-delta_3 field_4 id_3<BR /><BR /> Timestamp_2 field-delta_1 field-delta_2 field-delta_3 field_4 id_4 </P> <P>Sum of field-delta_1 for all id_?s </P> <P>Appreciate any help/pointers with this !!</P> Mon, 28 Sep 2020 15:57:39 GMT https://community.splunk.com/t5/Splunk-Search/Calculate-delta-for-corresponding-fields-base-on-time-grouped/m-p/163029#M46263 noveix 2020-09-28T15:57:39Z https://community.splunk.com/t5/Splunk-Search/Calculate-delta-for-corresponding-fields-base-on-time-grouped/m-p/163030#M46264 <P>For calculating deltas split by a field you can use streamstats:</P> <PRE><CODE>... | streamstats current=f window=1 last(field) as last_field by split_field | eval delta_field = field - last_field </CODE></PRE> <P>Not sure what you mean by the second part, could you elaborate?</P> Mon, 24 Feb 2014 10:38:59 GMT https://community.splunk.com/t5/Splunk-Search/Calculate-delta-for-corresponding-fields-base-on-time-grouped/m-p/163030#M46264 martin_mueller 2014-02-24T10:38:59Z https://community.splunk.com/t5/Splunk-Search/Calculate-delta-for-corresponding-fields-base-on-time-grouped/m-p/163031#M46265 <P>Thanks Martin, that works, for the second part .. I need to sum the deltas for all of the id_# for the same timestamp .. using my example data above, deltas for the 4 events which has identical timestamp.</P> Mon, 24 Feb 2014 11:11:13 GMT https://community.splunk.com/t5/Splunk-Search/Calculate-delta-for-corresponding-fields-base-on-time-grouped/m-p/163031#M46265 noveix 2014-02-24T11:11:13Z https://community.splunk.com/t5/Splunk-Search/Calculate-delta-for-corresponding-fields-base-on-time-grouped/m-p/163032#M46266 <P>Do you want to sum up several fields in one event or sum up one field over several events - or both?</P> Mon, 24 Feb 2014 11:53:36 GMT https://community.splunk.com/t5/Splunk-Search/Calculate-delta-for-corresponding-fields-base-on-time-grouped/m-p/163032#M46266 martin_mueller 2014-02-24T11:53:36Z https://community.splunk.com/t5/Splunk-Search/Calculate-delta-for-corresponding-fields-base-on-time-grouped/m-p/163033#M46267 <P>I want to sum up delta of field_1 for all events that have the same timestamp regardless of the id_#</P> Mon, 28 Sep 2020 15:58:08 GMT https://community.splunk.com/t5/Splunk-Search/Calculate-delta-for-corresponding-fields-base-on-time-grouped/m-p/163033#M46267 noveix 2020-09-28T15:58:08Z https://community.splunk.com/t5/Splunk-Search/Calculate-delta-for-corresponding-fields-base-on-time-grouped/m-p/163034#M46268 <P>Ah. Append this:</P> <PRE><CODE>... | eventstats sum(delta_field_1) by _time </CODE></PRE> Mon, 24 Feb 2014 22:44:35 GMT https://community.splunk.com/t5/Splunk-Search/Calculate-delta-for-corresponding-fields-base-on-time-grouped/m-p/163034#M46268 martin_mueller 2014-02-24T22:44:35Z https://community.splunk.com/t5/Splunk-Search/Calculate-delta-for-corresponding-fields-base-on-time-grouped/m-p/163035#M46269 <P>great work ... works nicely !!</P> Mon, 24 Feb 2014 23:12:14 GMT https://community.splunk.com/t5/Splunk-Search/Calculate-delta-for-corresponding-fields-base-on-time-grouped/m-p/163035#M46269 noveix 2014-02-24T23:12:14Z