Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Multiple devices in delta command?

alex8103
Explorer
‎06-08-2024 04:30 AM

Hello everyone,

I use the Delta command in splunk enterprise to record the power consumption of a device. This only gives me the difference in consumption. Now, however, I want to add 3 more devices to the same diagram, so the whole thing should be added up to a total consumption. Is this possible with Delta, and if so, how? Which commands do I need for this?


Greetings

Alex

Labels (2)
Labels
Tags (3)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎06-08-2024 01:15 PM

Delta is a relatively simple command - just calculates difference from previous value. Nothing more, nothing less.

If you want to track the differences separately for - for example - different devices, you need to use streamstats to copy over previous value of a given field X separetely for each value of field Y (or a combination of more fields).

| streamstats current=f window=1 values(myfield) as old_myfield by splitfield

Now you can just calculate the difference of myfield and old_myfield.

Reply

tscroggins
Influencer
‎06-08-2024 09:10 AM

Hi @alex8103,

If your measurements are cumulative,  you can use either a simple stats range aggregation or a combination of streamstats and stats, assuming a valid epoch _time value:

| stats range(_time) as dt range(W) as dW by device
| eval kWh=(dW/1000)*(dt/3600)
| sort 0 _time
| streamstats current=f global=f window=2 last(_time) as pre_time last(W) as pre_W by device
| eval dt=_time-pre_time, dW=W-pre_W
| stats sum(dW) as dW sum(dt) as dt by device
| eval kWh=(dW/1000)*(dt/3600)

If you want to chart differences between cumulative measurements over _time, you can use streamstats and timechart:

| sort 0 _time
| streamstats current=f global=f window=2 last(_time) as pre_time last(W) as pre_W by device
| eval dt=_time-pre_time, dW=W-pre_W
| timechart eval((sum(dW)/1000)*(sum(dt)/3600)) as kWh by device

The timechart command snaps values to the nearest bin. If you need a more precise chart, use a span  argument corresponding to your time measurement precision.

(I don't work with power measurements. If I did the admittedly very basic math incorrectly, please correct it in a reply!)

Reply
Get Updates on the Splunk Community!

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

  Ready to master Kubernetes and cloud monitoring like the pros?Join Splunk’s Growth Engineering team for an ...

Wrapping Up Cybersecurity Awareness Month

October might be wrapping up, but for Splunk Education, cybersecurity awareness never goes out of season. ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...