Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Multiple devices in delta command?

alex8103
Explorer
‎06-08-2024 04:30 AM

Hello everyone,

I use the Delta command in splunk enterprise to record the power consumption of a device. This only gives me the difference in consumption. Now, however, I want to add 3 more devices to the same diagram, so the whole thing should be added up to a total consumption. Is this possible with Delta, and if so, how? Which commands do I need for this?


Greetings

Alex

Labels (2)
Labels
Tags (3)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎06-08-2024 01:15 PM

Delta is a relatively simple command - just calculates difference from previous value. Nothing more, nothing less.

If you want to track the differences separately for - for example - different devices, you need to use streamstats to copy over previous value of a given field X separetely for each value of field Y (or a combination of more fields).

| streamstats current=f window=1 values(myfield) as old_myfield by splitfield

Now you can just calculate the difference of myfield and old_myfield.

Reply

tscroggins
Champion
‎06-08-2024 09:10 AM

Hi @alex8103,

If your measurements are cumulative,  you can use either a simple stats range aggregation or a combination of streamstats and stats, assuming a valid epoch _time value:

| stats range(_time) as dt range(W) as dW by device
| eval kWh=(dW/1000)*(dt/3600)
| sort 0 _time
| streamstats current=f global=f window=2 last(_time) as pre_time last(W) as pre_W by device
| eval dt=_time-pre_time, dW=W-pre_W
| stats sum(dW) as dW sum(dt) as dt by device
| eval kWh=(dW/1000)*(dt/3600)

If you want to chart differences between cumulative measurements over _time, you can use streamstats and timechart:

| sort 0 _time
| streamstats current=f global=f window=2 last(_time) as pre_time last(W) as pre_W by device
| eval dt=_time-pre_time, dW=W-pre_W
| timechart eval((sum(dW)/1000)*(sum(dt)/3600)) as kWh by device

The timechart command snaps values to the nearest bin. If you need a more precise chart, use a span  argument corresponding to your time measurement precision.

(I don't work with power measurements. If I did the admittedly very basic math incorrectly, please correct it in a reply!)

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...