Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Multiple devices in delta command?

alex8103
Explorer
‎06-08-2024 04:30 AM

Hello everyone,

I use the Delta command in splunk enterprise to record the power consumption of a device. This only gives me the difference in consumption. Now, however, I want to add 3 more devices to the same diagram, so the whole thing should be added up to a total consumption. Is this possible with Delta, and if so, how? Which commands do I need for this?


Greetings

Alex

Labels (2)
Labels
Tags (3)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎06-08-2024 01:15 PM

Delta is a relatively simple command - just calculates difference from previous value. Nothing more, nothing less.

If you want to track the differences separately for - for example - different devices, you need to use streamstats to copy over previous value of a given field X separetely for each value of field Y (or a combination of more fields).

| streamstats current=f window=1 values(myfield) as old_myfield by splitfield

Now you can just calculate the difference of myfield and old_myfield.

Reply

tscroggins
Influencer
‎06-08-2024 09:10 AM

Hi @alex8103,

If your measurements are cumulative,  you can use either a simple stats range aggregation or a combination of streamstats and stats, assuming a valid epoch _time value:

| stats range(_time) as dt range(W) as dW by device
| eval kWh=(dW/1000)*(dt/3600)
| sort 0 _time
| streamstats current=f global=f window=2 last(_time) as pre_time last(W) as pre_W by device
| eval dt=_time-pre_time, dW=W-pre_W
| stats sum(dW) as dW sum(dt) as dt by device
| eval kWh=(dW/1000)*(dt/3600)

If you want to chart differences between cumulative measurements over _time, you can use streamstats and timechart:

| sort 0 _time
| streamstats current=f global=f window=2 last(_time) as pre_time last(W) as pre_W by device
| eval dt=_time-pre_time, dW=W-pre_W
| timechart eval((sum(dW)/1000)*(sum(dt)/3600)) as kWh by device

The timechart command snaps values to the nearest bin. If you need a more precise chart, use a span  argument corresponding to your time measurement precision.

(I don't work with power measurements. If I did the admittedly very basic math incorrectly, please correct it in a reply!)

Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...