topic Re: How do I prevent initial delta value from breaking my visualization? in Splunk Search

How do I prevent initial delta value from breaking my visualization?

EricLloyd79 — Wed, 21 Sep 2016 20:26:38 GMT

I am trying to get the delta of several key-value pairs over a period of an hour. The initial ingestion of data is from a few hours ago yet the earliest time slot for this timechart is empty and the second one has the full value (not the delta) causing my visualizations to be unreadable. I see what its doing - its basically trying to get the previous value for the earliest time slot for the time I've specified, seeing it empty and giving me the delta of the full value but I need it to recognize the previous value, instead of it being blank.

Here is a template for my query:
sourcetype=abc SCTP host="abc.com"

| timechart span=5m max(field1) as field1 max(field2) as field2
| delta field1 as field1d
| delta field2 as field2d

So my output in stats is :
FIRST ROW TIMESLOT: BLANK
SECOND ROW TIMESLOT: field1=2000 field2=5000
THIRD ROW TIMESLOT: field1=0 field2=3

So now my visualization is unreadable...

Re: How do I prevent initial delta value from breaking my visualization?

sundareshr — Wed, 21 Sep 2016 20:54:04 GMT

Are these values for field1d or field1? Why is the first timeslot blank for field1? I can understand it being blank for field1d. What would you like the "previous value" for the first row be?

Re: How do I prevent initial delta value from breaking my visualization?

somesoni2 — Wed, 21 Sep 2016 20:54:30 GMT

Try this

sourcetype=abc SCTP host="abc.com" | bucket span=5m _time | stats max(field1) as field1 max(field2) as field2 by _time
| delta field1 as field1d
| delta field2 as field2d