Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Multiple devices in delta command?

alex8103
Explorer
‎06-08-2024 04:30 AM

Hello everyone,

I use the Delta command in splunk enterprise to record the power consumption of a device. This only gives me the difference in consumption. Now, however, I want to add 3 more devices to the same diagram, so the whole thing should be added up to a total consumption. Is this possible with Delta, and if so, how? Which commands do I need for this?


Greetings

Alex

Labels (2)
Labels
Tags (3)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎06-08-2024 01:15 PM

Delta is a relatively simple command - just calculates difference from previous value. Nothing more, nothing less.

If you want to track the differences separately for - for example - different devices, you need to use streamstats to copy over previous value of a given field X separetely for each value of field Y (or a combination of more fields).

| streamstats current=f window=1 values(myfield) as old_myfield by splitfield

Now you can just calculate the difference of myfield and old_myfield.

Reply

tscroggins
Influencer
‎06-08-2024 09:10 AM

Hi @alex8103,

If your measurements are cumulative,  you can use either a simple stats range aggregation or a combination of streamstats and stats, assuming a valid epoch _time value:

| stats range(_time) as dt range(W) as dW by device
| eval kWh=(dW/1000)*(dt/3600)
| sort 0 _time
| streamstats current=f global=f window=2 last(_time) as pre_time last(W) as pre_W by device
| eval dt=_time-pre_time, dW=W-pre_W
| stats sum(dW) as dW sum(dt) as dt by device
| eval kWh=(dW/1000)*(dt/3600)

If you want to chart differences between cumulative measurements over _time, you can use streamstats and timechart:

| sort 0 _time
| streamstats current=f global=f window=2 last(_time) as pre_time last(W) as pre_W by device
| eval dt=_time-pre_time, dW=W-pre_W
| timechart eval((sum(dW)/1000)*(sum(dt)/3600)) as kWh by device

The timechart command snaps values to the nearest bin. If you need a more precise chart, use a span  argument corresponding to your time measurement precision.

(I don't work with power measurements. If I did the admittedly very basic math incorrectly, please correct it in a reply!)

Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...