https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-do-a-delta-grouped-by-a-field-in-a-search-to/m-p/251151#M75025 <P>How about you use <CODE>autoregress</CODE> which will be able to look at previous event something like this</P> <PRE><CODE>your base query to return all the events | sort queueName, seqId | autoregress queueName as oldQ p=1 | autoregress seqId as oldSeq p=1 | eval flag=if( ( queueName=oldQ ) AND ( seqId != (oldSeq +1)), 1, 0) | table queueName, seqId, oldSeqId, flag | where flag=1 | fields -flag </CODE></PRE> <P>You can alternatively tweak the if condition of <CODE>( seqId != (oldSeq +1))</CODE> to something like <CODE>( seqId - oldSeq &gt; 1)</CODE> or whichever way you feel shall better represent your case.</P> <P>Also if you feel sorting on <CODE>_time</CODE> will also help put the sequences in a better order than already done by <CODE>| sort queueName, seqId</CODE> the try to combine <CODE>_time</CODE> in there to make it <CODE>| sort queueName, seqId, _time</CODE></P> Tue, 29 Nov 2016 22:40:03 GMT gokadroid 2016-11-29T22:40:03Z https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-do-a-delta-grouped-by-a-field-in-a-search-to/m-p/251150#M75024 <P>Is it possible to do delta groupby some field? I have an application which is processing data from multiple queues. Each queue has independent ever increment sequence number. I need to find a missing sequence with search. The log format looks like:</P> <P>2016-11-21 17:15:40,803 queueName=q1, seqid = 12<BR /> 2016-11-21 17:26:40,803 queueName=q2, seqid = 32<BR /> 2016-11-21 17:27:40,803 queueName=q3, seqid = 114<BR /> 2016-11-21 17:44:41,803 queueName=q3, seqid = 113<BR /> 2016-11-21 17:50:49,803 queueName=q2, seqid = 34<BR /> 2016-11-21 17:51:40,803 queueName=q2, seqid = 33<BR /> 2016-11-21 17:53:40,803 queueName=q1, seqid = 13<BR /> 2016-11-21 17:58:22,803 queueName=q3, seqid = 116</P> <P>I am using </P> <PRE><CODE>sort queueName,seqid | delta seqid as seq_diff | search seq_diff &gt; 1 | table queueName,seqid,seqid_diff </CODE></PRE> <P>But this does not take care of checking diff across queueName. How do I restrict delta by queueName?</P> Tue, 29 Nov 2016 22:28:30 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-do-a-delta-grouped-by-a-field-in-a-search-to/m-p/251150#M75024 avanishm 2016-11-29T22:28:30Z https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-do-a-delta-grouped-by-a-field-in-a-search-to/m-p/251151#M75025 <P>How about you use <CODE>autoregress</CODE> which will be able to look at previous event something like this</P> <PRE><CODE>your base query to return all the events | sort queueName, seqId | autoregress queueName as oldQ p=1 | autoregress seqId as oldSeq p=1 | eval flag=if( ( queueName=oldQ ) AND ( seqId != (oldSeq +1)), 1, 0) | table queueName, seqId, oldSeqId, flag | where flag=1 | fields -flag </CODE></PRE> <P>You can alternatively tweak the if condition of <CODE>( seqId != (oldSeq +1))</CODE> to something like <CODE>( seqId - oldSeq &gt; 1)</CODE> or whichever way you feel shall better represent your case.</P> <P>Also if you feel sorting on <CODE>_time</CODE> will also help put the sequences in a better order than already done by <CODE>| sort queueName, seqId</CODE> the try to combine <CODE>_time</CODE> in there to make it <CODE>| sort queueName, seqId, _time</CODE></P> Tue, 29 Nov 2016 22:40:03 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-do-a-delta-grouped-by-a-field-in-a-search-to/m-p/251151#M75025 gokadroid 2016-11-29T22:40:03Z https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-do-a-delta-grouped-by-a-field-in-a-search-to/m-p/251152#M75026 <P>Try <CODE>streamstats</CODE> instead <A href="http://blogs.splunk.com/2014/04/01/search-command-stats-eventstats-and-streamstats-2/">http://blogs.splunk.com/2014/04/01/search-command-stats-eventstats-and-streamstats-2/</A></P> <PRE><CODE>... | streamstats window=1 current=f values(seqid) as next_seqid by queueName | eval seq_diff = next_seqid - seqid | where seq_diff &gt; 1 | table queueName seqid seqid_diff </CODE></PRE> Tue, 29 Nov 2016 23:13:02 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-do-a-delta-grouped-by-a-field-in-a-search-to/m-p/251152#M75026 sundareshr 2016-11-29T23:13:02Z